diff --git a/packages/crowdstrike/_dev/build/docs/README.md b/packages/crowdstrike/_dev/build/docs/README.md index 54ef7d0ba76..f91856e0ee1 100644 --- a/packages/crowdstrike/_dev/build/docs/README.md +++ b/packages/crowdstrike/_dev/build/docs/README.md @@ -22,8 +22,38 @@ Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from ### FDR -The Falcon Data Replicator replicates log data from your CrowdStrike environment to a stand-alone target. This target can be a location on the file system, or an S3 bucket. +The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike +managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is +available in S3. +This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed +SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket +and the integration can read from there. + +In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic +Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time. + +#### Use with CrowdStrike managed S3/SQS + +This is the simplest way to setup the integration, and also the default. + +You need to set the integration up with the SQS queue URL provided by Crowdstrike FDR. +Ensure the `Is FDR queue` option is enabled. + +#### Use with FDR tool and data replicated to a self-managed S3 bucket + +This option can be used if you want to archive the raw CrowdStrike data. + +You need to follow the steps below: + +- Create a S3 bucket to receive the logs. +- Create a SQS queue. +- Configure your S3 bucket to send object created notifications to your SQS queue. +- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket. +- Configure the integration to read from your self-managed SQS topic. +- Disable the `Is FDR queue` option in the integration. + +**NOTE: While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files.** #### Configuration for the S3 input diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 5df74fcede6..a0fb9b92a63 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "1.0.4" + changes: + - description: Add ability to read from both FDR provided and user owned SQS queues for FDR. + type: bugfix + link: https://github.com/elastic/integrations/pull/2198 + - description: Pipeline fixes for FDR + type: bugfix + link: https://github.com/elastic/integrations/pull/2198 - version: "1.0.3" changes: - description: Uniform with guidelines diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log index d2fe20312a9..291c2e82b95 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log @@ -122,3 +122,4 @@ {"AuthenticationId":"703298","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2642284486","ContextProcessId":"1161025471861","ContextThreadId":"34929528116709","ContextTimeStamp":"1604851030.593","DiskParentDeviceInstanceId":"USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"262fbc677256cf4c8d6c6a227285a072c06830873b000000","FileObject":"18446664963104449168","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"1","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"517029","TargetFileName":"\\Device\\HarddiskVolume5\\01.png.tmp$$","TokenType":"1","UserName":"user9","aid":"ffffffff16bf4c7bb5ad755a4722025c","aip":"208.216.134.196","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"GenericFileWritten","id":"ffffffff-1111-11eb-800a-06cecfd73923","name":"GenericFileWrittenV11","timestamp":"1604851031298"} {"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"1604850899.164","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"208.216.150.196","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812"} {"ConfigBuild":"1007.4.0009906.1","ConfigStateHash":"3429017943","ContextProcessId":"66426035996442255","ContextTimeStamp":"1604851098.548","Entitlements":"15","aid":"ffffffff899541b94b9adff8922aa70a","aip":"208.193.200.164","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"FirewallDisabled","id":"ffffffff-1111-11eb-9d4c-02f402df8c1f","name":"FirewallDisabledMacV1","timestamp":"1604851040625"} +{"AgentLoadFlags":"0","AgentLocalTime":"1636436839.9529998","AgentTimeOffset":"125.319","AgentVersion":"6.31.14404.0","BiosManufacturer":"Apple Inc.","BiosVersion":"1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)","ChassisType":"Laptop","City":"San Francisco","ComputerName":"mac1","ConfigBuild":"1007.4.0014404.1","ConfigIDBuild":"14404","Continent":"North America","Country":"United States","FalconGroupingTags":"-","FirstSeen":"1625682391.0","HostHiddenStatus":"Visible","MachineDomain":"none","OU":"none","PointerSize":"none","ProductType":"1","SensorGroupingTags":"-","ServicePackMajor":"none","SiteName":"none","SystemManufacturer":"Apple Inc.","SystemProductName":"MacBookPro16,2","Time":"1636448427.3539999","Timezone":"America/Los_Angeles","Version":"Big Sur (11.0)","aid":"fffffffffffaaaaaaaaabbbbbbbb","aip":"208.30.227.225","cid":"ffffffff30a3407dae27d0503611022ff","event_platform":"Mac"} \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json index ae22ad023f3..ef3e5b50a36 100644 --- a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json +++ b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log-expected.json @@ -36,11 +36,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffa63e404bba4bff7465ab3afb", "address": "208.210.242.193", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.210.242.193" + "ip": "208.210.242.193", + "serial_number": "ffffffffa63e404bba4bff7465ab3afb", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:21.137Z", "ecs": { @@ -58,7 +59,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460224900Z", + "ingested": "2021-11-22T09:23:55.465427800Z", "original": "{\"ParentProcessId\":\"362225661973273550\",\"SourceProcessId\":\"362225661973273550\",\"aip\":\"208.210.242.193\",\"SessionProcessId\":\"363970027584976556\",\"SyntheticPR2Flags\":\"8\",\"event_platform\":\"Mac\",\"SVUID\":\"501\",\"id\":\"ffffffff-1111-11eb-8dd4-061759968cdf\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677521162\",\"ProcessGroupId\":\"363970027584976556\",\"event_simpleName\":\"SyntheticProcessRollup2\",\"RawProcessId\":\"9505\",\"ContextTimeStamp\":\"1625677521.137\",\"GID\":\"20\",\"ConfigStateHash\":\"1620585913\",\"SVGID\":\"20\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"501\",\"CommandLine\":\"/bin/sh -s unix:cmd\",\"TargetProcessId\":\"363970027584976556\",\"ImageFileName\":\"/bin/sh\",\"RGID\":\"501\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"SyntheticProcessRollup2MacV3\",\"RUID\":\"501\",\"aid\":\"ffffffffa63e404bba4bff7465ab3afb\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.162Z", "kind": "event", @@ -121,11 +122,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff3c0846978560dbc0048d6555", "address": "208.254.115.95", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.254.115.95" + "ip": "208.254.115.95", + "serial_number": "ffffffff3c0846978560dbc0048d6555", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:23.068Z", "ecs": { @@ -143,7 +145,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460237200Z", + "ingested": "2021-11-22T09:23:55.465437600Z", "original": "{\"FileDeletedCount\":\"0\",\"DirectoryCreatedCount\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"208.254.115.95\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"event_platform\":\"Mac\",\"NetworkBindCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"id\":\"ffffffff-1111-11eb-9d75-02bcf3ade03b\",\"NewExecutableWrittenCount\":\"0\",\"NetworkCloseCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"SuspectStackCount\":\"0\",\"timestamp\":\"1625677524102\",\"event_simpleName\":\"EndOfProcess\",\"RawProcessId\":\"33454\",\"ContextTimeStamp\":\"1625677523.068\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053603452626914\",\"AsepWrittenCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"NetworkCapableAsepWriteCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"TargetProcessId\":\"365053603452626914\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"name\":\"EndOfProcessMacV15\",\"aid\":\"ffffffff3c0846978560dbc0048d6555\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:24.102Z", "kind": "event", @@ -222,11 +224,12 @@ "lat": 42.1646 } }, - "serial_number": "ffffffffc59c473aa7fcbbe7438082cb", "address": "208.126.205.223", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.126.205.223" + "ip": "208.126.205.223", + "serial_number": "ffffffffc59c473aa7fcbbe7438082cb", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:48.594Z", "ecs": { @@ -248,7 +251,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460245800Z", + "ingested": "2021-11-22T09:23:55.465444600Z", "original": "{\"event_simpleName\":\"RawBindIP6\",\"ContextTimeStamp\":\"1625677488.594\",\"LocalAddressIP6\":\"ff88:1:1:ffff:fa2d:c0ff:fe6f:70a0\",\"RemoteAddressIP6\":\"ff88:1:1:ffff:1014:ce99:9b06:ab12\",\"ConfigStateHash\":\"1620585913\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"365042236081053654\",\"RemotePort\":\"546\",\"aip\":\"208.126.205.223\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"547\",\"Entitlements\":\"15\",\"name\":\"RawBindIP6MacV10\",\"id\":\"ffffffff-1111-11eb-ad8d-064c77be2fd1\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffffc59c473aa7fcbbe7438082cb\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677488615\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:48.615Z", "kind": "event", @@ -317,11 +320,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff59fe460783ea45d59e417d6f", "address": "208.130.207.129", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.130.207.129" + "ip": "208.130.207.129", + "serial_number": "ffffffff59fe460783ea45d59e417d6f", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:04.527Z", "ecs": { @@ -340,7 +344,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460254Z", + "ingested": "2021-11-22T09:23:55.465451300Z", "original": "{\"event_simpleName\":\"ProcessRollup2Stats\",\"ConfigStateHash\":\"1620585913\",\"Timeout\":\"600\",\"aip\":\"208.130.207.129\",\"SHA256HashData\":\"f8bd34d4ac025f862c6fe8f3fd3f170072f94f1f2ec9dc6cb2d7925422b77018\",\"ProcessCount\":\"4\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"502\",\"event_platform\":\"Mac\",\"CommandLine\":\"ruby --disable-gems sorbet/feature_dependency_plugin.rb --class EmergingAlbertsonsPickupBannerDiscount --method feature_dependency --source feature_dependency Domain::FeatureDependencies::RouletteUserFeature.new(\\n feature_name: FEATURE_NAME,\\n variants: [FEATURE_VARIANT],\\n )\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2StatsMacV1\",\"id\":\"ffffffff-1111-11eb-822b-06081a3f0f45\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff59fe460783ea45d59e417d6f\",\"timestamp\":\"1625677504527\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:04.527Z", "kind": "state", @@ -381,11 +385,12 @@ "lat": 51.5167 } }, - "serial_number": "ffffffffe1ad47b6b5b44ae9151a6cf3", "address": "208.49.81.196", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.49.81.196" + "ip": "208.49.81.196", + "serial_number": "ffffffffe1ad47b6b5b44ae9151a6cf3", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:14.783Z", "os": { @@ -406,7 +411,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460303700Z", + "ingested": "2021-11-22T09:23:55.465458Z", "original": "{\"event_simpleName\":\"SensorHeartbeat\",\"ConfigStateHash\":\"3090255842\",\"NetworkContainmentState\":\"0\",\"aip\":\"208.49.81.196\",\"ConfigIDBase\":\"65994753\",\"SensorStateBitMap\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"ConfigurationVersion\":\"10\",\"Entitlements\":\"15\",\"name\":\"SensorHeartbeatMacV4\",\"ConfigIDPlatform\":\"4\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"ConfigIDBuild\":\"13701\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffe1ad47b6b5b44ae9151a6cf3\",\"ProvisionState\":\"1\",\"timestamp\":\"1625677514783\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:14.783Z", "kind": "event", @@ -482,11 +487,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff8be84591864008eb2e484920", "address": "208.24.129.49", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.24.129.49" + "ip": "208.24.129.49", + "serial_number": "ffffffff8be84591864008eb2e484920", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:02.500Z", "ecs": { @@ -506,7 +512,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460314Z", + "ingested": "2021-11-22T09:23:55.465464900Z", "original": "{\"MachOSubType\":\"1\",\"ParentProcessId\":\"362213307092004097\",\"SourceProcessId\":\"362213307092004097\",\"aip\":\"208.24.129.49\",\"SessionProcessId\":\"362213307092004097\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Mac\",\"ProcessEndTime\":\"\",\"SVUID\":\"0\",\"ParentBaseFileName\":\"launchd\",\"id\":\"ffffffff-1111-11eb-a9ce-02e9216bdbcb\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677502500\",\"ProcessGroupId\":\"362213307092004097\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"56254\",\"GID\":\"0\",\"ConfigStateHash\":\"1620585913\",\"SVGID\":\"0\",\"MD5HashData\":\"88922d50263b059696c2af5a99906562\",\"SHA256HashData\":\"d4ff1c438e330777002332a305fcf965cfaa7d0dbeb899293d347298cbf6d4b6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"CommandLine\":\"xpcproxy com.apple.mdworker.shared.01000000-0600-0000-0000-000000000000\",\"TargetProcessId\":\"363276350115996101\",\"ImageFileName\":\"/usr/libexec/xpcproxy\",\"RGID\":\"0\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2MacV5\",\"RUID\":\"0\",\"ProcessStartTime\":\"1625677502.233\",\"aid\":\"ffffffff8be84591864008eb2e484920\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:02.500Z", "kind": "event", @@ -596,11 +602,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", "address": "208.238.3.157", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "208.238.3.157" + "ip": "208.238.3.157", + "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:04.982Z", "ecs": { @@ -622,7 +629,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460322400Z", + "ingested": "2021-11-22T09:23:55.465471600Z", "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkReceiveAcceptIP4\",\"ContextTimeStamp\":\"1625677504.982\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"17307488247882\",\"RemotePort\":\"53\",\"aip\":\"208.238.3.157\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"39920\",\"Entitlements\":\"15\",\"name\":\"NetworkReceiveAcceptIP4LinV5\",\"id\":\"ffffffff-1111-11eb-9d7c-02e8a46f51a5\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff5a2e420c99f6b6d3a5d9de9b\",\"RemoteAddressIP4\":\"208.230.0.2\",\"ConnectionDirection\":\"1\",\"InContext\":\"0\",\"timestamp\":\"1625677505511\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:05.511Z", "kind": "event", @@ -701,11 +708,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff01fc49949cf06bf0bce3c010", "address": "208.215.150.206", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.215.150.206" + "ip": "208.215.150.206", + "serial_number": "ffffffff01fc49949cf06bf0bce3c010", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:21.866Z", "ecs": { @@ -727,7 +735,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460330500Z", + "ingested": "2021-11-22T09:23:55.465478400Z", "original": "{\"LocalAddressIP4\":\"208.30.0.2\",\"event_simpleName\":\"RawBindIP4\",\"ContextTimeStamp\":\"1625677521.866\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"362579458925546303\",\"RemotePort\":\"0\",\"aip\":\"208.215.150.206\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"53\",\"Entitlements\":\"15\",\"name\":\"RawBindIP4MacV10\",\"id\":\"ffffffff-1111-11eb-81d4-0282ad9ac82d\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff01fc49949cf06bf0bce3c010\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677522009\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:22.009Z", "kind": "event", @@ -793,11 +801,12 @@ "lat": 45.5152 } }, - "serial_number": "ffffffff083845f68a7de3d95cb34361", "address": "208.187.110.246", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.187.110.246" + "ip": "208.187.110.246", + "serial_number": "ffffffff083845f68a7de3d95cb34361", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:23.901Z", "ecs": { @@ -819,7 +828,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460338700Z", + "ingested": "2021-11-22T09:23:55.465485100Z", "original": "{\"event_simpleName\":\"NetworkConnectIP6\",\"ContextTimeStamp\":\"1625677523.901\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemoteAddressIP4\":\"127.0.0.1\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364783686797112486\",\"RemotePort\":\"50626\",\"aip\":\"208.187.110.246\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"0\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP6MacV10\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff083845f68a7de3d95cb34361\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677524048\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:24.048Z", "kind": "event", @@ -890,11 +899,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffcf45409f87ed463b40c368ec", "address": "208.194.125.248", - "version": "1007.8.0010912.1", "vendor": "crowdstrike", - "ip": "208.194.125.248" + "ip": "208.194.125.248", + "serial_number": "ffffffffcf45409f87ed463b40c368ec", + "type": "agent", + "version": "1007.8.0010912.1" }, "@timestamp": "2021-07-07T17:05:35.482Z", "ecs": { @@ -914,7 +924,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460346900Z", + "ingested": "2021-11-22T09:23:55.465491900Z", "original": "{\"ParentProcessId\":\"38911774195823\",\"SourceProcessId\":\"38911774195823\",\"aip\":\"208.194.125.248\",\"SessionProcessId\":\"38911772846634\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"event_platform\":\"Lin\",\"ProcessEndTime\":\"1625677535.102\",\"SVUID\":\"114\",\"ParentBaseFileName\":\"bash\",\"id\":\"ffffffff-1111-11eb-bad4-02690d039c6b\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677535482\",\"ProcessGroupId\":\"9277112078\",\"event_simpleName\":\"ProcessRollup2\",\"RawProcessId\":\"73249\",\"GID\":\"119\",\"ConfigStateHash\":\"1284133626\",\"SVGID\":\"119\",\"MD5HashData\":\"29037cef466fa57f03bd1b2a092c47a4\",\"SHA256HashData\":\"a4f11f04df7aa3ac611dcbdb3e3d934a8f0523ea17b0a41a1809c380efd2d112\",\"ConfigBuild\":\"1007.8.0010912.1\",\"UID\":\"114\",\"CommandLine\":\"pgbackrest --stanza\\u003dmain archive-get 000000020004D51F0000009F pg_wal/RECOVERYXLOG\",\"TargetProcessId\":\"38911778380590\",\"ImageFileName\":\"/usr/bin/pgbackrest\",\"RGID\":\"119\",\"SourceThreadId\":\"0\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2LinV6\",\"RUID\":\"114\",\"ProcessStartTime\":\"1625677535.068\",\"aid\":\"ffffffffcf45409f87ed463b40c368ec\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:35.482Z", "kind": "event", @@ -987,11 +997,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", "address": "208.238.3.157", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "208.238.3.157" + "ip": "208.238.3.157", + "serial_number": "ffffffff5a2e420c99f6b6d3a5d9de9b", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:03.713Z", "ecs": { @@ -1011,7 +1022,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460355300Z", + "ingested": "2021-11-22T09:23:55.465498600Z", "original": "{\"event_simpleName\":\"NetworkConnectIP6\",\"ContextTimeStamp\":\"1625677503.713\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"17307455014463\",\"RemotePort\":\"0\",\"aip\":\"208.238.3.157\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"41952\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP6LinV5\",\"id\":\"ffffffff-1111-11eb-9d7c-02e8a46f51a5\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff5a2e420c99f6b6d3a5d9de9b\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677503947\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:03.947Z", "kind": "event", @@ -1062,11 +1073,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff20bd481a98a3d1f6191047ff", "address": "208.24.230.3", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.24.230.3" + "ip": "208.24.230.3", + "serial_number": "ffffffff20bd481a98a3d1f6191047ff", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:20.973Z", "file": { @@ -1091,7 +1103,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460363700Z", + "ingested": "2021-11-22T09:23:55.465505600Z", "original": "{\"event_simpleName\":\"OoxmlFileWritten\",\"ContextTimeStamp\":\"1625677520.973\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365044948432500700\",\"ContextThreadId\":\"0\",\"aip\":\"208.24.230.3\",\"FileIdentifier\":\"0500000100000000000000000000000021b0260000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"OoxmlFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-8ad1-02cfdadef55f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff20bd481a98a3d1f6191047ff\",\"timestamp\":\"1625677521081\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user1/Library/Application Support/Google/DriveFS/110588730849638631570/content_cache/d23/d44/432508\"}", "created": "2021-07-07T17:05:21.081Z", "kind": "event", @@ -1182,11 +1194,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffbd064538b214ab0dce8e82c3", "address": "208.144.51.215", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "208.144.51.215" + "ip": "208.144.51.215", + "serial_number": "ffffffffbd064538b214ab0dce8e82c3", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:30.308Z", "ecs": { @@ -1208,7 +1221,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460372Z", + "ingested": "2021-11-22T09:23:55.465512400Z", "original": "{\"LocalAddressIP4\":\"208.230.137.65\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1625677530.308\",\"ConfigStateHash\":\"3469235958\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"12227094573885\",\"RemotePort\":\"80\",\"aip\":\"208.144.51.215\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"59926\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP4LinV5\",\"id\":\"ffffffff-1111-11eb-b727-028bbe41f38d\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffffbd064538b214ab0dce8e82c3\",\"RemoteAddressIP4\":\"208.254.169.254\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677530841\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.841Z", "kind": "event", @@ -1244,11 +1257,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff25b14d4aa96de99e24bad2fa", "address": "208.231.69.37", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.231.69.37" + "ip": "208.231.69.37", + "serial_number": "ffffffff25b14d4aa96de99e24bad2fa", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:04:53.974Z", "os": { @@ -1270,7 +1284,7 @@ }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-08-13T09:21:37.460380400Z", + "ingested": "2021-11-22T09:23:55.465519Z", "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1156120155\",\"ChannelDiffStatus\":\"1\",\"aip\":\"208.231.69.37\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"12\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV2\",\"id\":\"ffffffff-1111-11eb-b7e0-02332cdcc16d\",\"ErrorCode\":\"0\",\"aid\":\"ffffffff25b14d4aa96de99e24bad2fa\",\"timestamp\":\"1625677493974\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b7e0-02332cdcc16d", "created": "2021-07-07T17:04:53.974Z" @@ -1317,11 +1331,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffc9114c1898e79604708955a6", "address": "208.203.151.21", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.203.151.21" + "ip": "208.203.151.21", + "serial_number": "ffffffffc9114c1898e79604708955a6", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:21.218Z", "ecs": { @@ -1341,7 +1356,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460388800Z", + "ingested": "2021-11-22T09:23:55.465525700Z", "original": "{\"event_simpleName\":\"LocalIpAddressIP6\",\"LocalAddressIP6\":\"ff88:1:1:ffff:6c9e:e0ff:fe1f:6d7d\",\"ConfigStateHash\":\"1156120155\",\"CreationTimeStamp\":\"1625677520.686\",\"aip\":\"208.203.151.21\",\"PhysicalAddress\":\"6e-9e-e0-1f-6d-7d\",\"InterfaceAlias\":\"vethdeb0243\",\"InterfaceIndex\":\"3736\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"InterfaceType\":\"1\",\"name\":\"LocalIpAddressIP6LinV1\",\"id\":\"ffffffff-1111-11eb-92d2-0286f570f8e1\",\"PhysicalAddressLength\":\"6\",\"aid\":\"ffffffffc9114c1898e79604708955a6\",\"timestamp\":\"1625677521218\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.218Z", "kind": "state", @@ -1377,11 +1392,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff2d7b4778a73b2cf58d327e42", "address": "208.169.10.84", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.169.10.84" + "ip": "208.169.10.84", + "serial_number": "ffffffff2d7b4778a73b2cf58d327e42", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:40.455Z", "os": { @@ -1403,7 +1419,7 @@ }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-08-13T09:21:37.460397Z", + "ingested": "2021-11-22T09:23:55.465532600Z", "original": "{\"ChannelVersion\":\"0\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"1620585913\",\"ChannelDiffStatus\":\"1\",\"aip\":\"208.169.10.84\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"210\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ChannelVersionRequiredMacV2\",\"id\":\"ffffffff-1111-11eb-8cc5-02c6fb049dd3\",\"ErrorCode\":\"0\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff2d7b4778a73b2cf58d327e42\",\"timestamp\":\"1625677480455\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-8cc5-02c6fb049dd3", "created": "2021-07-07T17:04:40.455Z" @@ -1438,11 +1454,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffff6e146908cbf31d72b94b626", "address": "208.231.69.37", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.231.69.37" + "ip": "208.231.69.37", + "serial_number": "fffffffff6e146908cbf31d72b94b626", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:40.292Z", "os": { @@ -1463,7 +1480,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460405400Z", + "ingested": "2021-11-22T09:23:55.465539500Z", "original": "{\"event_simpleName\":\"SensorHeartbeat\",\"ConfigStateHash\":\"1156120155\",\"NetworkContainmentState\":\"0\",\"aip\":\"208.231.69.37\",\"ConfigIDBase\":\"65994753\",\"SensorStateBitMap\":\"2\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"ConfigurationVersion\":\"10\",\"name\":\"SensorHeartbeatLinV4\",\"ConfigIDPlatform\":\"8\",\"id\":\"ffffffff-1111-11eb-993f-02b8dc387eb5\",\"ConfigIDBuild\":\"11611\",\"aid\":\"fffffffff6e146908cbf31d72b94b626\",\"timestamp\":\"1625677540292\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:40.292Z", "kind": "event", @@ -1524,11 +1541,12 @@ "lat": 45.5152 } }, - "serial_number": "ffffffff083845f68a7de3d95cb34361", "address": "208.187.110.246", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.187.110.246" + "ip": "208.187.110.246", + "serial_number": "ffffffff083845f68a7de3d95cb34361", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:28.570Z", "file": { @@ -1554,7 +1572,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460413600Z", + "ingested": "2021-11-22T09:23:55.465546300Z", "original": "{\"event_simpleName\":\"JavaClassFileWritten\",\"ContextTimeStamp\":\"1625677528.570\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364783686797112486\",\"ContextThreadId\":\"0\",\"aip\":\"208.187.110.246\",\"FileIdentifier\":\"04000001000000000000000000000000986b480e00000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"JavaClassFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-97c6-02fd02aca859\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff083845f68a7de3d95cb34361\",\"timestamp\":\"1625677528717\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user2/shopper-one/tooling/teams-plugin/build/classes/kotlin/main/com/instacart/shopper/tooling/TeamsPlugin$apply$$inlined$configure$1.class\"}", "created": "2021-07-07T17:05:28.717Z", "kind": "event", @@ -1629,11 +1647,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff96f142f6b2475f3c584ddd80", "address": "208.223.60.11", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.223.60.11" + "ip": "208.223.60.11", + "serial_number": "ffffffff96f142f6b2475f3c584ddd80", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:12.700Z", "ecs": { @@ -1655,7 +1674,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460421700Z", + "ingested": "2021-11-22T09:23:55.465553100Z", "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkConnectIP4\",\"ContextTimeStamp\":\"1625677512.700\",\"ConfigStateHash\":\"1620585913\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364796317497854624\",\"RemotePort\":\"443\",\"aip\":\"208.223.60.11\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"0\",\"Entitlements\":\"15\",\"name\":\"NetworkConnectIP4MacV10\",\"id\":\"ffffffff-1111-11eb-9c94-0222a21bbb27\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff96f142f6b2475f3c584ddd80\",\"RemoteAddressIP4\":\"208.208.21.205\",\"ConnectionDirection\":\"0\",\"InContext\":\"0\",\"timestamp\":\"1625677512892\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:12.892Z", "kind": "event", @@ -1719,11 +1738,12 @@ "lat": 38.8898 } }, - "serial_number": "ffffffff7ecf4e61bba14ca5ac5d17b1", "address": "208.198.160.35", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.198.160.35" + "ip": "208.198.160.35", + "serial_number": "ffffffff7ecf4e61bba14ca5ac5d17b1", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:35.806Z", "ecs": { @@ -1741,7 +1761,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460427800Z", + "ingested": "2021-11-22T09:23:55.465559800Z", "original": "{\"event_simpleName\":\"DnsRequest\",\"ContextTimeStamp\":\"1625677475.806\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364977197365370629\",\"DomainName\":\"jss.dom1.com\",\"ContextThreadId\":\"0\",\"aip\":\"208.198.160.35\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"DnsRequestMacV1\",\"id\":\"ffffffff-1111-11eb-9644-060415b1fd87\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff7ecf4e61bba14ca5ac5d17b1\",\"timestamp\":\"1625677476111\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"RequestType\":\"28\"}", "created": "2021-07-07T17:04:36.111Z", "kind": "event", @@ -1792,11 +1812,12 @@ "lat": 38.4203 } }, - "serial_number": "ffffffffbea440b9aad8b5bf222d303f", "address": "208.180.129.90", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.180.129.90" + "ip": "208.180.129.90", + "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:04.770Z", "file": { @@ -1824,7 +1845,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460433900Z", + "ingested": "2021-11-22T09:23:55.465566600Z", "original": "{\"event_simpleName\":\"NewScriptWritten\",\"ContextTimeStamp\":\"1625677504.770\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"365053504406857894\",\"Size\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"208.180.129.90\",\"SHA256HashData\":\"2d9a331f045a9c6b13d45eabe948b5c7dfdc25e1251bff6756fa306581087da9\",\"FileIdentifier\":\"05000001000000000000000000000000b588050000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NewScriptWrittenMacV2\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"timestamp\":\"1625677540055\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Applications/BitBar/countdown_timer.1s.py\"}", "created": "2021-07-07T17:05:40.055Z", "kind": "event", @@ -1870,11 +1891,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffbfbf4ff5aa56a26ad3c1a942", "address": "208.203.151.21", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.203.151.21" + "ip": "208.203.151.21", + "serial_number": "ffffffffbfbf4ff5aa56a26ad3c1a942", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:26.386Z", "ecs": { @@ -1894,7 +1916,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460441100Z", + "ingested": "2021-11-22T09:23:55.465573400Z", "original": "{\"InterfaceIndex\":\"186\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_simpleName\":\"LocalIpAddressRemovedIP6\",\"event_platform\":\"Lin\",\"LocalAddressIP6\":\"ff88:1:1:ffff:440a:57ff:fe3a:8abc\",\"ConfigStateHash\":\"1156120155\",\"name\":\"LocalIpAddressRemovedIP6LinV1\",\"aip\":\"208.203.151.21\",\"id\":\"ffffffff-1111-11eb-b3c1-02ff598b7945\",\"aid\":\"ffffffffbfbf4ff5aa56a26ad3c1a942\",\"timestamp\":\"1625677526386\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:26.386Z", "kind": "state", @@ -1942,11 +1964,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff24db47799d1a85aae61dc7bc", "address": "208.130.71.241", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.130.71.241" + "ip": "208.130.71.241", + "serial_number": "ffffffff24db47799d1a85aae61dc7bc", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:59.994Z", "file": { @@ -1970,7 +1993,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460448500Z", + "ingested": "2021-11-22T09:23:55.465580200Z", "original": "{\"event_simpleName\":\"DirectoryCreate\",\"ContextTimeStamp\":\"1625677499.994\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053555029062046\",\"ContextThreadId\":\"0\",\"aip\":\"208.130.71.241\",\"Flags\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"event_platform\":\"Mac\",\"UnixMode\":\"0\",\"Entitlements\":\"15\",\"name\":\"DirectoryCreateMacV1\",\"id\":\"ffffffff-1111-11eb-92d2-0286f570f8e1\",\"VnodeType\":\"2\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff24db47799d1a85aae61dc7bc\",\"TargetDirectoryName\":\"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871\",\"timestamp\":\"1625677500089\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/s8/9c47txv13vj8qx_m7cqtx2w80000gp/T/.LINKS/2F71C2D4-D215-453E-BF4C-D6C037502871\"}", "created": "2021-07-07T17:05:00.089Z", "kind": "event", @@ -2070,11 +2093,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff58de4e748d9f64c85a9b49e6", "address": "208.233.129.250", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "208.233.129.250" + "ip": "208.233.129.250", + "serial_number": "ffffffff58de4e748d9f64c85a9b49e6", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:17.658Z", "ecs": { @@ -2096,7 +2120,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460457Z", + "ingested": "2021-11-22T09:23:55.465587300Z", "original": "{\"LocalAddressIP4\":\"208.210.109.249\",\"event_simpleName\":\"NetworkCloseIP4\",\"ContextTimeStamp\":\"1625677517.658\",\"ConfigStateHash\":\"1479784503\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"84424232977619\",\"RemotePort\":\"443\",\"aip\":\"208.233.129.250\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"40394\",\"Entitlements\":\"15\",\"name\":\"NetworkCloseIP4LinV6\",\"id\":\"ffffffff-1111-11eb-9015-02e89cda7d5f\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff58de4e748d9f64c85a9b49e6\",\"RemoteAddressIP4\":\"208.216.236.59\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677517986\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:17.986Z", "kind": "event", @@ -2147,11 +2171,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", "address": "208.93.153.49", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.93.153.49" + "ip": "208.93.153.49", + "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:56.750Z", "ecs": { @@ -2169,7 +2194,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460464500Z", + "ingested": "2021-11-22T09:23:55.465594200Z", "original": "{\"VolumeMediaName\":\"AppleAPFSMedia\",\"VolumeDeviceProtocol\":\"PCI-Express\",\"VolumeDeviceVendor\":\"\",\"ContextThreadId\":\"0\",\"VolumeMediaContent\":\"41504653-0000-11AA-AA11-00306543ECAC\",\"VolumeMediaEjectable\":\"0\",\"aip\":\"208.93.153.49\",\"VolumeAppearanceTime\":\"1625677422.647\",\"VolumeDeviceModel\":\"APPLE SSD SM0256L\",\"VolumeMediaBSDName\":\"disk1s3\",\"VolumeMountPoint\":\"/Volumes/Recovery\",\"event_platform\":\"Mac\",\"VolumeType\":\"APFS\",\"VolumeMediaRemovable\":\"0\",\"VolumeMediaBSDUnit\":\"1\",\"VolumeFileSystemDriver\":\"apfs\",\"id\":\"ffffffff-1111-11eb-956a-02748d01bd3d\",\"VolumeMediaSize\":\"250685575168\",\"EffectiveTransmissionClass\":\"2\",\"VolumeBusName\":\"IONVMeController\",\"timestamp\":\"1625677496804\",\"VolumeMediaBSDMinor\":\"8\",\"VolumeMediaWritable\":\"1\",\"event_simpleName\":\"FsVolumeMounted\",\"VolumeDevicePath\":\"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1\",\"VolumeName\":\"Recovery\",\"ContextTimeStamp\":\"1625677496.750\",\"VolumeSectorSize\":\"4096\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053546767850587\",\"VolumeBusPath\":\"IODeviceTree:/PCI0@0/RP01@1C/SSD0@0/IONVMeController\",\"VolumeDeviceInternal\":\"1\",\"ConfigBuild\":\"1007.4.0013701.1\",\"VolumeUUID\":\"85400FAD-01F9-0442-8C5D-441F365D4909\",\"VolumeDeviceRevision\":\"CXS4LA0Q\",\"Entitlements\":\"15\",\"name\":\"FsVolumeMountedMacV1\",\"VolumeMediaBSDMajor\":\"1\",\"VolumeMediaPath\":\"IOService:/AppleACPIPlatformExpert/PCI0@0/AppleACPIPCI/RP01@1C/IOPP/SSD0@0/IONVMeController/IONVMeBlockStorageDevice@1/IOBlockStorageDriver/APPLE SSD SM0256L Media/IOGUIDPartitionScheme/NoName@2/AppleAPFSContainerScheme/AppleAPFSMedia/AppleAPFSContainer/Recovery@3\",\"aid\":\"ffffffff8eca418b7a861be9c5f7de1d\",\"VolumeMediaUUID\":\"AD0F4085-F901-4204-8C5D-441F365D4909\",\"VolumeMediaWhole\":\"0\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"VolumeIsNetwork\":\"0\"}", "created": "2021-07-07T17:04:56.804Z", "kind": "event", @@ -2262,11 +2287,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff190e436aaebc3892bcda5beb", "address": "208.233.54.217", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.233.54.217" + "ip": "208.233.54.217", + "serial_number": "ffffffff190e436aaebc3892bcda5beb", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:14.374Z", "ecs": { @@ -2286,7 +2312,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460470800Z", + "ingested": "2021-11-22T09:23:55.465601100Z", "original": "{\"LocalAddressIP4\":\"208.30.117.28\",\"event_simpleName\":\"LocalIpAddressIP4\",\"ConfigStateHash\":\"1156120155\",\"CreationTimeStamp\":\"1625677513.841\",\"aip\":\"208.233.54.217\",\"PhysicalAddress\":\"0e-d6-ff-ff-ff-63\",\"InterfaceAlias\":\"eth0\",\"InterfaceIndex\":\"2\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"InterfaceType\":\"1\",\"name\":\"LocalIpAddressIP4LinV1\",\"id\":\"ffffffff-1111-11eb-9c94-0222a21bbb27\",\"PhysicalAddressLength\":\"6\",\"aid\":\"ffffffff190e436aaebc3892bcda5beb\",\"timestamp\":\"1625677514374\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:14.374Z", "kind": "state", @@ -2335,11 +2361,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "address": "208.165.30.176", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.165.30.176" + "ip": "208.165.30.176", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:40.056Z", "ecs": { @@ -2359,7 +2386,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460479200Z", + "ingested": "2021-11-22T09:23:55.465607800Z", "original": "{\"event_simpleName\":\"LocalIpAddressRemovedIP6\",\"LocalAddressIP6\":\"ff88:1:1:ffff:442a:7bff:fe75:9ed\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"208.165.30.176\",\"InterfaceIndex\":\"8\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"NetLuidIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressRemovedIP6MacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677480056\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:40.056Z", "kind": "state", @@ -2409,11 +2436,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff0ad7494e8e817b3903f4eebb", "address": "208.176.144.39", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.176.144.39" + "ip": "208.176.144.39", + "serial_number": "ffffffff0ad7494e8e817b3903f4eebb", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:21.723Z", "ecs": { @@ -2433,7 +2461,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460485400Z", + "ingested": "2021-11-22T09:23:55.465614500Z", "original": "{\"OutOctets\":\"0\",\"CreationTimeStamp\":\"\",\"aip\":\"208.176.144.39\",\"OutMulticastPkts\":\"0\",\"InErrors\":\"0\",\"InterfaceAlias\":\"llw0\",\"InDiscards\":\"0\",\"InterfaceIndex\":\"8\",\"event_platform\":\"Mac\",\"InterfaceType\":\"6\",\"id\":\"ffffffff-1111-11eb-b88d-06b7cb0d7bd7\",\"PhysicalAddressLength\":\"6\",\"InUcastPkts\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677521723\",\"event_simpleName\":\"LocalIpAddressIP6\",\"LocalAddressIP6\":\"ff88:1:1:ffff:c027:b0ff:fe27:830f\",\"ConfigStateHash\":\"1620585913\",\"PhysicalAddress\":\"c2-27-b0-27-83-0f\",\"OutErrors\":\"0\",\"InUnknownProtos\":\"0\",\"OutUcastPkts\":\"0\",\"InMulticastPkts\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"InOctets\":\"0\",\"NetLuidIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressIP6MacV1\",\"aid\":\"ffffffff0ad7494e8e817b3903f4eebb\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:21.723Z", "kind": "state", @@ -2509,11 +2537,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff23d24c4193ffa6f270775ee5", "address": "208.98.120.25", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.98.120.25" + "ip": "208.98.120.25", + "serial_number": "ffffffff23d24c4193ffa6f270775ee5", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:07.037Z", "ecs": { @@ -2533,7 +2562,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460491700Z", + "ingested": "2021-11-22T09:23:55.465621300Z", "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkListenIP4\",\"ContextTimeStamp\":\"1625677507.037\",\"ConfigStateHash\":\"3090255842\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364432308748445743\",\"RemotePort\":\"0\",\"aip\":\"208.98.120.25\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"50647\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP4MacV10\",\"id\":\"ffffffff-1111-11eb-8b36-06a8af5164a9\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff23d24c4193ffa6f270775ee5\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677507086\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:07.086Z", "kind": "event", @@ -2583,11 +2612,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffa7bf46da689501ce58bd6987", "address": "208.31.216.39", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.31.216.39" + "ip": "208.31.216.39", + "serial_number": "ffffffffa7bf46da689501ce58bd6987", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:36.729Z", "file": { @@ -2611,7 +2641,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460500100Z", + "ingested": "2021-11-22T09:23:55.465628Z", "original": "{\"event_simpleName\":\"ExecutableDeleted\",\"ContextTimeStamp\":\"1625677536.729\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364994904864288322\",\"ContextThreadId\":\"0\",\"aip\":\"208.31.216.39\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ExecutableDeletedMacV1\",\"id\":\"ffffffff-1111-11eb-8ca0-0231588e8cbb\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffa7bf46da689501ce58bd6987\",\"timestamp\":\"1625677536784\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user3/Library/Caches/com.tinyspeck.slackmacgap.ShipIt/update.FXKsmFO/Slack.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt\"}", "created": "2021-07-07T17:05:36.784Z", "kind": "event", @@ -2659,11 +2689,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffffc2c4e4fa9c08e1a8388e5f9", "address": "208.188.8.87", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.188.8.87" + "ip": "208.188.8.87", + "serial_number": "fffffffffc2c4e4fa9c08e1a8388e5f9", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:04.542Z", "file": { @@ -2690,7 +2721,7 @@ }, "event": { "action": "GzipFileWritten", - "ingested": "2021-08-13T09:21:37.460508500Z", + "ingested": "2021-11-22T09:23:55.465634800Z", "original": "{\"event_simpleName\":\"GzipFileWritten\",\"ContextTimeStamp\":\"1625677504.542\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"362897421906895953\",\"ContextThreadId\":\"0\",\"aip\":\"208.188.8.87\",\"FileIdentifier\":\"04000001000000000000000000000000501f510700000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GzipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9320-06d410e6f705\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffc2c4e4fa9c08e1a8388e5f9\",\"timestamp\":\"1625677504614\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/powerlog/Library/BatteryLife/Archives/powerlog_2021-07-05_CC5F9FC1.PLSQL.gz\"}", "id": "ffffffff-1111-11eb-9320-06d410e6f705", "created": "2021-07-07T17:05:04.614Z" @@ -2714,11 +2745,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "address": "208.165.30.176", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.165.30.176" + "ip": "208.165.30.176", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T01:52:50.595Z", "os": { @@ -2739,7 +2771,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460516700Z", + "ingested": "2021-11-22T09:23:55.465641500Z", "original": "{\"event_simpleName\":\"IOServiceRegister\",\"ContextTimeStamp\":\"1625622770.595\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"208.165.30.176\",\"IOServiceClass\":\"IOUSBDevice:IOUSBNub:IOService:IORegistryEntry:OSObject\",\"ConfigBuild\":\"1007.4.0013701.1\",\"IOServicePath\":\"IOService:/IOResources/AppleUSBHostResources/AppleUSBLegacyRoot/AppleUSBVHCIBCE@80000000/Touch Bar Backlight@80700000\",\"event_platform\":\"Mac\",\"IOServiceProperties\":\"\",\"Entitlements\":\"15\",\"name\":\"IOServiceRegisterMacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"IOServiceName\":\"Touch Bar Backlight\",\"timestamp\":\"1625677480056\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:40.056Z", "kind": "event", @@ -2796,11 +2828,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "address": "208.165.30.176", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.165.30.176" + "ip": "208.165.30.176", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T01:50:02.031Z", "ecs": { @@ -2818,7 +2851,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460524700Z", + "ingested": "2021-11-22T09:23:55.465648300Z", "original": "{\"event_simpleName\":\"PtyCreated\",\"ContextTimeStamp\":\"1625622602.031\",\"ConfigStateHash\":\"3967242894\",\"ContextProcessId\":\"364938416497226937\",\"DeviceId\":\"251658248\",\"ContextThreadId\":\"0\",\"aip\":\"208.165.30.176\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"PtyCreatedMacV1\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677478739\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.739Z", "kind": "event", @@ -2883,11 +2916,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff5ae3449ab33a1809fe6c5ce2", "address": "208.69.76.234", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.69.76.234" + "ip": "208.69.76.234", + "serial_number": "ffffffff5ae3449ab33a1809fe6c5ce2", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:35.967Z", "ecs": { @@ -2907,7 +2941,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460533100Z", + "ingested": "2021-11-22T09:23:55.465655100Z", "original": "{\"LocalAddressIP4\":\"208.27.233.142\",\"event_simpleName\":\"LocalIpAddressRemovedIP4\",\"ConfigStateHash\":\"1803419442\",\"aip\":\"208.69.76.234\",\"InterfaceIndex\":\"18\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"NetLuidIndex\":\"2\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressRemovedIP4MacV1\",\"id\":\"ffffffff-1111-11eb-b7b7-066cc89bcebf\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff5ae3449ab33a1809fe6c5ce2\",\"timestamp\":\"1625677475967\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:35.967Z", "kind": "state", @@ -2971,11 +3005,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff335f47ca89cad6a19f203bbd", "address": "208.144.51.215", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "208.144.51.215" + "ip": "208.144.51.215", + "serial_number": "ffffffff335f47ca89cad6a19f203bbd", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:04:34.875Z", "ecs": { @@ -2995,7 +3030,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460541900Z", + "ingested": "2021-11-22T09:23:55.465662100Z", "original": "{\"event_simpleName\":\"NetworkCloseIP6\",\"ContextTimeStamp\":\"1625677474.875\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"ConfigStateHash\":\"1701000200\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"12241681491990\",\"RemotePort\":\"9\",\"aip\":\"208.144.51.215\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"59999\",\"Entitlements\":\"15\",\"name\":\"NetworkCloseIP6LinV6\",\"id\":\"ffffffff-1111-11eb-8130-02cde7751097\",\"Protocol\":\"17\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff335f47ca89cad6a19f203bbd\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677475413\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:35.413Z", "kind": "event", @@ -3031,11 +3066,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffa74a4c89b9984a3a7124bb9d", "address": "208.203.151.21", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.203.151.21" + "ip": "208.203.151.21", + "serial_number": "ffffffffa74a4c89b9984a3a7124bb9d", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:04:50.580Z", "os": { @@ -3056,7 +3092,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460550100Z", + "ingested": "2021-11-22T09:23:55.465668800Z", "original": "{\"ConfigBuild\":\"1007.8.0011611.1\",\"event_simpleName\":\"ConfigStateUpdate\",\"event_platform\":\"Lin\",\"ConfigStateHash\":\"1156120155\",\"ConfigStateData\":\"0,0,1007.8.0011611.1|1,c,0|1,22,6|1,59,2d|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|\",\"name\":\"ConfigStateUpdateLinV2\",\"aip\":\"208.203.151.21\",\"id\":\"ffffffff-1111-11eb-af89-06c111484f9f\",\"aid\":\"ffffffffa74a4c89b9984a3a7124bb9d\",\"timestamp\":\"1625677490580\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:50.580Z", "kind": "event", @@ -3115,11 +3151,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff0cd64fb78626ab1b6c65ac8c", "address": "208.141.219.156", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.141.219.156" + "ip": "208.141.219.156", + "serial_number": "ffffffff0cd64fb78626ab1b6c65ac8c", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:53.531Z", "ecs": { @@ -3137,7 +3174,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460558400Z", + "ingested": "2021-11-22T09:23:55.465675600Z", "original": "{\"event_simpleName\":\"SuspiciousDnsRequest\",\"ContextTimeStamp\":\"1625677493.531\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364839648316192383\",\"DomainName\":\"hg-t2.dotice.me\",\"ContextThreadId\":\"0\",\"aip\":\"208.141.219.156\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"SuspiciousDnsRequestMacV1\",\"id\":\"ffffffff-1111-11eb-a4a3-02cbdfb8f529\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff0cd64fb78626ab1b6c65ac8c\",\"timestamp\":\"1625677493756\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"RequestType\":\"1\"}", "created": "2021-07-07T17:04:53.756Z", "kind": "alert", @@ -3172,11 +3209,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffabd047b1a86c1fcd8ef22b59", "address": "208.233.54.217", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.233.54.217" + "ip": "208.233.54.217", + "serial_number": "ffffffffabd047b1a86c1fcd8ef22b59", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:05:30.922Z", "os": { @@ -3197,7 +3235,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460566800Z", + "ingested": "2021-11-22T09:23:55.465682400Z", "original": "{\"Parameter2\":\"0\",\"event_simpleName\":\"ErrorEvent\",\"Parameter1\":\"18446744072635810412\",\"Parameter3\":\"0\",\"ConfigStateHash\":\"1156120155\",\"aip\":\"208.233.54.217\",\"Line\":\"96\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"ErrorStatus\":\"3759276032\",\"name\":\"ErrorEventLinV1\",\"id\":\"ffffffff-1111-11eb-bdd3-0681aa29cecb\",\"Facility\":\"16778240\",\"aid\":\"ffffffffabd047b1a86c1fcd8ef22b59\",\"File\":\"0\",\"timestamp\":\"1625677530922\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.922Z", "kind": "alert", @@ -3241,11 +3279,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffa15a452190ae454f7d33e07e", "address": "208.24.60.146", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.24.60.146" + "ip": "208.24.60.146", + "serial_number": "ffffffffa15a452190ae454f7d33e07e", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:30.590Z", "os": { @@ -3266,7 +3305,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460575100Z", + "ingested": "2021-11-22T09:23:55.465689200Z", "original": "{\"event_simpleName\":\"ConfigStateUpdate\",\"ConfigStateHash\":\"3090255842\",\"ConfigStateData\":\"0,0,1007.4.0013701.1|1,2,1|1,4,a|1,6,0|1,8,46|1,a,1|1,c,0|1,17,1f|1,18,18|1,19,0|1,1e,407|1,21,3d2|1,27,1|1,53,18b|1,56,0|1,d0,16d|1,d1,0|1,d2,0|1,df,4c|1,e0,6|1,f6,1|1,1f5,1|1,1f7,1|1,1fd,1|1,200,0|2,0,138,a8000000032,140000000085,140000000153,18000000004c,18000000004f,180000000050,180000000051,180000000054,1800000000e1,1800000000e7,180000000144,18000000014e,18000000015a,18000000020e,180000000226,180000000227,180400000079,18040000009b,18040000009c,1804000000ff,180400000117,180400000118,180400000142,180400000163,180400000164,180400000166,180400000167,1804000001b2,1804000001f2,1804000001f3,180400000225,1804000002be,1804000002bf,1804000002ca,1804000002cb,1808000000c9,1808000000ee,1808000000fc,1808000000fd,1808000000fe,180c0000016b,180c0000016c,180c0000016d,180c0000016e,180c0000016f,180c00000170,180c000001b6,180c000001b7,180c000001b8,180c000001b9,180c000001f6,180c000001f7,180c000001f8,180c000002c2,180c000002c3,180c000002c4,180c000002ce,180c000002cf,180c000002d0,18100000011e,18100000011f,181000000120,181000000121,181000000122,181000000123,181000000124,181000000125,181000000126,181000000128,181000000169,18100000016a,181000000180,1810000001b1,1810000001c3,18100000021f,181000000220,18100000024e,18100000025b,181000000280,1810000002ad,1810000002d6,1810000002d7,1810000002f3,1c04000000a1,1c04000000a2,1c04000000a3,1c04000000a4,1c04000000a5,1c04000000a6,1c040000011a,1c040000011b,1c040000011c,1c0400000268,1c0400000269,1c040000026a,1c040000026c,1c040000026d,1c040000026e,1c0400000271,1c0400000272,1c0400000273,1c0400000275,1c0400000276,1c0400000277,1c040000028f,1c0400000290,1c0400000291,1c0400000293,1c0400000294,1c0400000295,1c0400000297,1c0400000298,1c0400000299,1c040000029b,1c040000029c,1c040000029d,1c040000029f,1c04000002a0|3,0,65|\",\"aip\":\"208.24.60.146\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ConfigStateUpdateMacV2\",\"id\":\"ffffffff-1111-11eb-8dc4-0234c12f9875\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffa15a452190ae454f7d33e07e\",\"timestamp\":\"1625677530590\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:30.590Z", "kind": "event", @@ -3349,11 +3388,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffaa0e47a1b009aef151d6179d", "address": "208.131.106.21", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.131.106.21" + "ip": "208.131.106.21", + "serial_number": "ffffffffaa0e47a1b009aef151d6179d", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:09.064Z", "ecs": { @@ -3371,7 +3411,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460583500Z", + "ingested": "2021-11-22T09:23:55.465695900Z", "original": "{\"event_simpleName\":\"KextLoad\",\"ContextTimeStamp\":\"1625677509.064\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364867547408058681\",\"ContextThreadId\":\"0\",\"aip\":\"208.131.106.21\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"BundleID\":\"com.apple.driver.AudioAUUC\",\"Entitlements\":\"15\",\"name\":\"KextLoadMacV1\",\"id\":\"ffffffff-1111-11eb-a2ae-028f6bf89be7\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffaa0e47a1b009aef151d6179d\",\"timestamp\":\"1625677509069\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:09.069Z", "kind": "event", @@ -3405,11 +3445,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff67d54f7daf3d998ffc74d48e", "address": "208.27.17.203", - "version": "1007.8.0011110.1", "vendor": "crowdstrike", - "ip": "208.27.17.203" + "ip": "208.27.17.203", + "serial_number": "ffffffff67d54f7daf3d998ffc74d48e", + "type": "agent", + "version": "1007.8.0011110.1" }, "@timestamp": "2021-07-07T17:05:07.901Z", "os": { @@ -3431,7 +3472,7 @@ }, "event": { "action": "ChannelVersionRequired", - "ingested": "2021-08-13T09:21:37.460591800Z", + "ingested": "2021-11-22T09:23:55.465702600Z", "original": "{\"ChannelVersion\":\"25\",\"event_simpleName\":\"ChannelVersionRequired\",\"ConfigStateHash\":\"3155796140\",\"aip\":\"208.27.17.203\",\"ChannelVersionRequired\":\"0\",\"ChannelId\":\"20\",\"ConfigBuild\":\"1007.8.0011110.1\",\"event_platform\":\"Lin\",\"name\":\"ChannelVersionRequiredLinV1\",\"id\":\"ffffffff-1111-11eb-b411-06baeacb7a63\",\"aid\":\"ffffffff67d54f7daf3d998ffc74d48e\",\"timestamp\":\"1625677507901\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b411-06baeacb7a63", "created": "2021-07-07T17:05:07.901Z" @@ -3487,11 +3528,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffe22549479fbe8293b6747a68", "address": "208.203.151.21", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "208.203.151.21" + "ip": "208.203.151.21", + "serial_number": "ffffffffe22549479fbe8293b6747a68", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:05:11.754Z", "ecs": { @@ -3510,7 +3552,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460600Z", + "ingested": "2021-11-22T09:23:55.465709400Z", "original": "{\"event_simpleName\":\"ProcessRollup2Stats\",\"ConfigStateHash\":\"2037712541\",\"Timeout\":\"60\",\"ParentProcessId\":\"0\",\"aip\":\"208.203.151.21\",\"SuppressType\":\"3\",\"SHA256HashData\":\"64e48365207d0c19008ba7d53d75c0de3fcd5a1590e4c40fc69c677663fedc20\",\"ProcessCount\":\"60\",\"BoundedCount\":\"57\",\"ConfigBuild\":\"1007.8.0011308.1\",\"UID\":\"115\",\"event_platform\":\"Lin\",\"CommandLine\":\"sh -c \\\"/usr/lib/erlang/erts-11.1.3/bin/epmd\\\" -daemon\",\"Entitlements\":\"15\",\"name\":\"ProcessRollup2StatsLinV3\",\"id\":\"ffffffff-1111-11eb-b34e-063f4cefccb3\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffe22549479fbe8293b6747a68\",\"timestamp\":\"1625677511754\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:11.754Z", "kind": "state", @@ -3559,11 +3601,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "address": "208.165.30.176", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.165.30.176" + "ip": "208.165.30.176", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:38.122Z", "ecs": { @@ -3584,7 +3627,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460608300Z", + "ingested": "2021-11-22T09:23:55.465718900Z", "original": "{\"event_simpleName\":\"UserIdentity\",\"LoginSessionId\":\"1138166333440\",\"AuthenticationUuidAsString\":\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109\",\"UserName\":\"user1\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"208.165.30.176\",\"AuthenticationId\":\"265\",\"UserPrincipal\":\"user1@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1530\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"265\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"UserIdentityMacV4\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000109\",\"timestamp\":\"1625677478122\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.122Z", "kind": "event", @@ -3631,11 +3674,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff45d647e6ae0ba8764a4bd570", "address": "208.237.139.168", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.237.139.168" + "ip": "208.237.139.168", + "serial_number": "ffffffff45d647e6ae0ba8764a4bd570", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:49.052Z", "os": { @@ -3658,7 +3702,7 @@ }, "event": { "action": "DeliverLocalFXToCloud", - "ingested": "2021-08-13T09:21:37.460616600Z", + "ingested": "2021-11-22T09:23:55.465725800Z", "original": "{\"FeatureVector\":\"000000527b2276223a22312e30222c226e223a352c226c223a3235362c2265223a7b2261223a5b31363737373232332c31363737373232332c31363737373232332c31363737373232332c31363737373232335d7d7d3f48793e3f6837b53f276c8b3ef8d4fe3f036e2f3fdb404f3e361134404d8c7e3df27bb33ef837b53faa57a83e752546402e6b513eb8e2193f5e63203e1446743f295e9e401fb7e93fe010623f90be0e3f6f837b3e7333333f3951833f33afb83e3f62b73e1893753f1b851f3ea752543e9333333ed446743f045a1d40889ba64065d2f2ad9a1b883f573eab3dd773193ed254613f3f3b643eedab9f3f579a6b4082b5dd3f92d42c3e8809d54040fcf83f90a71e40d717593e832ca53e19e83e3b4b295f3f64c2f83f8a9d1f3f27fcb93f088ce73e7333333de944673e81d7dc3f2db22d3e90cb293e2ca57a3e22b6ae3e843fe63f44fdf43f0573eb3ecbc6a83c648e8a3ceb1c433d16c6153c0d4fdf3d0529353e08ce703c2d81ae3f0809d53b69a2c63b7b43d93ded91683ba90cd43e2f9db23b6e28673d646499bb84406c3c0bd6623ea809d53edfb15b3dcc73acbc188d2a3c20cae63d390eaa3d148fda398cfb263b872b023d4d2b2c3a19c60fbc58ec963af9b13139f75bed3f687fcc3f105bc0ae9de3cf3cfb15b53a5dcccfbc2398203c9f40a3ba91e2153d0ec95c3f7e00d23dd048173c13b7d83f3404ea3ef06f69400392643c4dc8753b1f9485bb875d573cdebd903e1a9fbe3be83a113b1528f23c9279143c40053e3b62089e3d06ec183d16e58aba9c7ffe3b30c0273c3cbe623cc9eecc3b1e55c1ba25558f35192b55bcba493d357b1f123422c77e35700fd4349540073385f5c53562b199363180c1bbb5f5f133702cb134553ec134453f1234dfedcabba8e2e3bc4df26734da8f6636e51c133592f7ea34116278be173eabbc11ea79bbb3d4ae3574e4c733a4bbc53046530d34fd74ee330432f8bcf212d7bbaf3e47bc46690534a8a19335420670af1ab38734cdff54338e0e59bd23ad1934a8bd10bd2bb44e3433be90390220d73590265c3481ec3abb7701543b3e1eb437841ede333ede4c31d582ecbc195ee13510b6ab35ab6563b85ae696bcc582563510d9083490265c319cda2abc8327673428415ebba593a3347763df2f713b9cbd14a4d33486ea69bca3ec033d58ec963dc523f63dba7daa3cab9f563d5c67e03e8425af3cdaf8df3f47381d3bab606b3d174e663e6b1c433c4710cb3f04d0143c9691a73e0a233a3bde2ac33d0240b83ee339c13f139c0f3e2fec573df34d6a3d00e6b03df1a9fc3d9fb3fa3b6629953c4100e73d89fe873c0811b23d2d2dcb3ce5de163d0a1dfc3fac816f3f5096bc2e0d65af3df559b43b38ae323cf6555c3d93c3613d78a0903de872b03eb439583e27ef9e3c1689443f7c8b443eb06f694010ce703cff822c3c2d81ae3b0e68e43db5e2043e6b367a3d355ef23d1b089a3c5898b33bd373b03c41d29e3decbfb13d8a0e413bd9dfdb3c2dab9f3d1fddec3dcdd2f23cd10f523ce9ccb83f4b2fec3f7119ce3f276c8b3ee831273f036e2f3fe58adb3e361134404d8c7e3df972473ef837b53faab3683e7f1412402f34d73eb8e2193f62339c3e1446743f2041894013e0df3fe010623f90be0e3f6f837b3e7333333f449ba63f30a3d73e3f62b73e1893753f1b851f3ee240b83e9333333ed446743f03d07d40889ba64065d2f2ad8f49d23f4fd8ae3dd14e3c3edde69b3f3e147b3ee5bc023f579a6b409780343f92d42c3e8809d540435f703f90a71e40d717593e832ca53e19b3d03cc13fd13f6374bc3f8a9d1f3f27fcb93f1cd35b3e7333333de388663e884b5e3f29999a3e90cb293e2305533e2147ae3e843fe63f4d013b3f056d5d3ebe28243c6703b03cf084623d14a4d33c093b7e3d05a7093e087fcc3c304ab63f08c7e33b6ad0c43b8893b83dec22683ba8e2e33e2c56d63b6cd8dc3d637de9bb849cb23c08e79b3ea6dc5d3ee00d1b3dcb923abc1fd36f3c1cf56f3d385c683d134acb398c098e3b872b023d4e075f3a108bd4bc564d7f3b029cfe399cd0863f6958103f10b780ae9e16793cf601793a58523cbc231e7e3c9eecc0ba8398a63d0fba883f7d63883dd254613c14c4483f349ba63ef0b0f24003aa263c49afe23b23d70abb875d573cde3fbc3e1a9fbe3bebcc6c3b19d0203c92641b3c402f303b62d1f23d0366513d1797ccba9f40a33b32c83f3c39a1773ccfe9b83b2276b8ba786f1235192b55bcb890d63573a8ab34a531f734c11ccb3495400732a151a8369df96936179953bbbc1f00340207b734553ec134b523e7352bd356bba8e2e3bc4df26733a7cdeb36e51c1335421b0e3515c299be173eabbc11e647bbb3d4ae328448f533aa5c213046530d357f25dd330432f8bcf290acbbae9ee4bc4669053496f7d534ede333af1ab38733a03ec7346522f2bd23ad19353fd9cfbd2bb44e3392336039250bbe34bb34f73618f0ecbb7701543c50e560356884d0330f9fab31d582ecbc19f5e03510b6ab34e35d66b85ac660bcc582563510d9083490265c3399a707bc84a0e43474d02abba593a3342f209630b98ae7bd11fb4033605e7dbc9e59f33d5f11733dc922533db943183ca5a46a3d5b42463e83bcd33cdd2f1b3f47fcb93bae3a3b3d1ceaf23e6978d53c4836653f03a29c3c9afe1e3e096bba3bde76423cfd4bf13ee1e4f73f1418933e2ee6323df1a9fc3cfe1da83df0d8453d9e7ea63b69f6a93c4083123d8a7c5b3c0266773d2e147b3ce978d53d08ce703facf41f3f510cb32e0d9dfa3df2b0213b2bd5dc3cf77af63d94ee393d782d383de978d53eb404ea3e288ce73c2209ab3f7c91d13eb0d8454010e2193cfc65413c2e53653b0ede553db674d13e6ae7d53d361bb03d1c23b83c579d0a3bd3176a3c4447c33dea161e3d8a67623bd477bc3c2f4f0e3d1e6eeb3dd07c853cd4e8fb3cded2893f42de013f6d4fdf3f276c8b3ee1e4f73f036e2f3fe58adb3e361134404d8c7e3df837b53ef18fc53faa57a83e781d7e402d53263eb8e2193f62339c3e1b089a3f204189400eb9f53fe010623f9395813f6a233a3e81ff2e3f41a9fc3f3013a93e2666663e17dbf53f1b851f3ec666663e9333333ed446743f0e560440889ba64065d2f2ad9a1b883f573eab3dd7a7873edde69b3f3f3b643eed42c43f6a30554087f62b3f92d42c3e83958140435f703f90a71e40d717593e832ca53e19ce073cd0917d3f6374bc3f8a9d1f3f26e9793f088ce73e7333333df34d6a3e8710cb3f34f7663ea20c4a3e1a02753e23bcd33e843fe63f3a36e33f0573eb3ec84b5e3c6685db3cef0ae53d17acc53c0b32cf3d05681f3e0831273c2ff6d33f0a29c73b6a9e6f3b88c60d3deecbfb3baa53fc3e2d91683b6c636b3d66d9bebb8533b13c0a0d353ea91d153ee275253dcc9d9dbc159e623c1d27c43d3ad18d3d145b6c3982b47b3b88051d3d4fe9b83a12e7cfbc579d0a3af0a5f0390a9f2b3f69db233f10b780ae9e5a073cfc26573a5a6b1bbc247ed03c9d7343ba9bb6aa3d0f66a53f7d49523dd35a863c151c5c3f35b5743ef1d14e40047f243c4d9e843b24095fbb87b99d3cdd82fd3e1c28f63beeae9f3b14812c3c91a75d3c40ad043b613f4b3d033c603d195033ba9d8c6d3b307d0b3c3d12453cd234ec3b25375dba904f6e35181195bcba493d35a2674934a531f7352bda363522229033be54dc337b157336151dabbbb5f5f1340207b7345d30d93421b49d34c2b91cbba8e2e3bc4df26733a7cdeb369116e13592f7ea34116278be173eabbc11e647bbb3d4ae328448f533b7f4153046530d359e3e2233d006d8bcf2cf96bbad9ad8bc466905351da01436249e38af17834033a03ec7346522f2bd1ddc1e35d36497bd2bb44e33bf0a47390220d734c2822235531fdebb73ba773c1888f8356884d0330f9fab31d533c2bc195ee135adf23935ab6563b85b06ccbcc84b5e3510d9083490265c33e590e6bc81450f33ce498bbba593a334d1f8602f713b9cbd1930be33605e7dbca3ec033d5d249e3dc85b183dbc115e3ca858793d5c33723e83afb83cdcc63f3f4916873bab47413d1cb6853e6b9f563c49320e3f03eab33c9afe1e3e0aa64c3bdfd6953cfac1d33ee3e4263f14af4f3e2f69443df3b6463cfeda663df2b0213d9faebc3b50678c3c4250723d8c00543c0151a43d2d0e563ce4f7663d0701113fad2bd43f5075f72e0e19d33df5f6fd3b2eb80f3cf487fd3d92e72e3d7842313de944673eb50b0f3e295e9e3c1fd36f3f7d6a163eb15b57401159b43d000a7c3c2d2dcb3b0ecd8e3db4e11e3e6c3c9f3d3adc0a3d1bb0603c52dcb13bd338f83c4100e73de9e1b13d8b53503bd6ece13c2cd9e83d201cd63dd1b7173cda12303cdc725c3f48793e3f6ded293f276c8b3f036e2f3f036e2f3fea0f913e361134404d8c7e3e0189373ef837b53fabc3613e7f62b7403012063eb79a6b3f5e63203e0d4fdf3f204189400de9e23fe010623f90be0e3f6a233a3e81ff2e3f3951833f30902e3e4275253e18793e3f1b851f3ee0f9093e9333333ed446743f045a1d40889ba64065d2f2ad9d19253f573eab3dc692f73ece21963f3f3b643eee2eb23f579a6b407e76c93f92d42c3e83958140435f703f90a71e40d717593e832ca53e25aee63cb7e9103f64c2f83f8a9d1f3f27fcb93f06a7f03e676c8b3de147ae3e884b5e3f27bb303e90cb293e3295ea3e21e4f73e81205c3f3fec573f0573eb3ebec56d3c633eff3cf1800a3d1389b53c0ac1903d0587943e06dc5d3c2efb2b3f095e9e3b67ddca3b80303c3dec8b443ba782903e30068e3b6bcc6c3d619b91bb836eb53c0bf7f03ea60aa63ee00d1b3dcc447cbc28c1553c1d55e73d36e2eb3d132b56399063903b8776813d4d7f0f3a15a1bdbc55cfab3b06f04a39c25a833f68f5c33f107c85ae9e10d83cf9335d3a594a8abc2276b83c9f16b1ba66e57d3d0e0c9e3f7dbf483dd1b7173c1435ad3f34bc6a3ef096bc4003689d3c49afe23b22fcf0bb87a8d63cde939f3e1aee633bedbb5a3b14f69d3c91e6473c402f303b64217d3d06cca33d183516ba9fe8683b33d4ae3c38f9b13cced9173b288f00ba5a42d7356eda97bcb9628d356e0c6f341b95cf341f3c6534ad5b0a32a151a8337b157335b2c72cbbb2852334900adf34553ec1346e5ee5347ab7febba8e2e3bc4df26733a7cdeb35cf19143592f7ea34c9a612be173eabbc11e647bbb3d4ae35219fff33b7f4153046530d348b7aa434677fadbcf290acbbaf2d80bc46690535a6b2cc3206f2a8af17834033a03ec7338e0e59bd1e83e435857ac3bd2bb44e33043df73927249d34bb34f735906b14bb780dc33c50e560361e0a98336f92c2320a0eb4bc19b2c435adf23935ab6563b85a4586bcc56d5d3510d9083490265c3399a707bc811b1e34cde3d7bba593a334aec0612fb676c6bd13be2333605e7dbca3ec033d59be4d3dc9667b3db83cf33ca7ef9e3d5c09813e8361133cdba0a53f485f073ba023213d191bc53e69fbe73c4059213f04dd2f3c9835163e0865953be38a7e3d0385c63ee1b08a3f142c3d3e2f9db23df0068e3cff6d333df06f693d9e7ea63b68fb013c4250723d8a4d2b3c0b007a3d2e924f3cea209b3d094c443faccccd3f50ded32e0d9dfa3df41f213b2dab9f3cf95d4f3d94a4d33d7991bc3de809d53eb532613e28db8c3c1afe1e3f7cd9e83eb0ff974010f0d83cfc3b4f3c2e53653b0ede553db6c3763e6bb98c3d35f1bf3d1a95423c53d85a3bcedd483c46bce83ded5cfb3d8ac0833bd0edc43c319a413d1e30013dd07c853cdcf0303ce243573f4ded293f69c77a3f13d70a3f036e2f3f036e2f3feaa3053e361134404d8c7e3df5c28f3ef02de03faa57a83e70d845402f5dcc3eb8e2193f62339c3df0068e3f204189400de9e23fe010623f90be0e3f6a233a3e7333333f4a85883f3318fc3e4000003e063f143f1b851f3ecb5dcc3e9333333ed446743f0e560440889ba64065d2f2ad8f49d23f573eab3dbeff193ed7f62b3f3f3b643eedab9f3f57d567409780343f9292a33e8395814041158c3f90a71e40d717593e832ca53e1a511a3c74c6e73f64c2f83f832cf93f26e9793f03a92a3e6872b03df34d6a3e884b5e3f3381d83ea20c4a3e1a02753e2353f83e825aee3f4d013b3f041f213ec240b83c6a4a8c3cf3a14d3d15b5743c091e213d059c8d3e08ce703c2f78ff3f0837b53b6a7ce13b815e393ded91683ba9cdc43e2d42c43b73dc053d6147aebb8438093c0a61173ea72b023edf559b3dcaff6dbc1bd4063c21fd153d39ffd63d128e0d398d4bad3b894c443d4f18013a195aafbc5773193af57f7339ce41413f6851ec3f0fec57ae9dfa533cfa58f73a5a0d27bc21943a3ca1dfb9ba5471063d0e56043f7dd2f23dd1b7173c14b3813f33dd983ef013a9400347d83c4ca2db3b245d42bb8733663ce243573e1b22d13bf47b673b0f32383c928e0d3c4059213b6304473d05143c3d176ddbba9aed573b3220793c3c6a7f3ccc4ef93b267621ba298e0334f8d6f4bcba493d35461af9342ca85e34c11ccb352222903385f5c5368e9b3935b2c72cbbb75ea6344cfa3134553ec134b523e734c2b91cbba8e2e3bc4df26734d636243705eeb9351ad56535332082be173eabbc11ea79bbb3d4ae35a82cc133a943c13046530d34fd74ee34677fadbcf27bb3bbad8a11bc4669053496f7d53580f4d6af1848493405e546338e0e59bd23ad193400bddcbd2bb44e33bf0a473927249d34c2822235531fdebb73ba773c626d4836cf4407330f9fab31d582ecbc1a027535b8af0035d13ed5b85ad11cbcc582563573cb0735d499d3319cda2abc8548aa3474d02abba593a3351ccb0c2f713b9cbd14a4d333605e7dbca3ec033d6108c43dc9e4503dba34443ca454de3d5a511a3e84816f3cdc09813f4773193bac3a863d1945b73e6b1c433c48de2b3f03e4263c9a415f3e08b4393bd8ba413d0073583ee1cac13f13a92a3e2e48e93df318fc3d0216c63df212d73d9d7dbf3b627e0f3c44ef893d8ba1f53c03e8573d2c9afe3ce5f30e3d0846203fac710d3f50c49c2e0d4f2a3df487fd3b306c443cf837b53d96ffc13d795d4f3de8db8c3eb4bc6a3e28a71e3c1fba453f7c56d63eb07c854010c63f3cfeb0753c3170503b0e68e43db977853e6bb98c3d3c7f783d19a4163c55f99c3bd1e96c3c4669053debb98c3d8a6ca03bde43ee3c2efb2b3d2007dd3dce075f3cdbb59e3ce75793b01aa501\",\"event_simpleName\":\"DeliverLocalFXToCloud\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"208.237.139.168\",\"ModelPrediction\":\"1436899696705536\",\"SHA256HashData\":\"c89caf538788e6524bf4ae93194051f3389eecbc71e4793f12a2dc0368211cc2\",\"Malicious\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"FeatureExtractionVersion\":\"2\",\"event_platform\":\"Mac\",\"FXFileSize\":\"502032\",\"Entitlements\":\"15\",\"name\":\"DeliverLocalFXToCloudMacV4\",\"PupAdwareDecisionValue\":\"12384657383358464\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"PupAdwareConfidence\":\"0\",\"EffectiveTransmissionClass\":\"1\",\"aid\":\"ffffffff45d647e6ae0ba8764a4bd570\",\"MLModelVersion\":\"4\",\"timestamp\":\"1625677489052\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b44e-069a02b0ad6b", "created": "2021-07-07T17:04:49.052Z" @@ -3733,11 +3777,12 @@ }, "country_iso_code": "CA" }, - "serial_number": "ffffffffb3a3442585c05abc61e290fc", "address": "208.114.159.32", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.114.159.32" + "ip": "208.114.159.32", + "serial_number": "ffffffffb3a3442585c05abc61e290fc", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:24.929Z", "file": { @@ -3761,7 +3806,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460625Z", + "ingested": "2021-11-22T09:23:55.465732600Z", "original": "{\"event_simpleName\":\"CreateProcessArgs\",\"ContextTimeStamp\":\"1625677524.929\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365035560818271291\",\"ContextThreadId\":\"365035560818271291\",\"aip\":\"208.114.159.32\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"CommandLine\":\"t.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/CategorySurfaceViewController.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationActionView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationAddressView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationErrorView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationHeaderView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationLoadingView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationPostalCodeView.o -o /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Build/Intermediates.noindex/Instacart.build/Debug-iphonesimulator/Carrot.build/Objects-normal/x86_64/ChangeLocationViewController.o -index-store-path /Users/user4/Library/Developer/Xcode/DerivedData/Instacart-ceioektzbmfzbcgtsioovgzlzmnt/Index/DataStore -index-system-modules\",\"Entitlements\":\"15\",\"name\":\"CreateProcessArgsMac\",\"id\":\"ffffffff-1111-11eb-8332-020506b18db5\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffb3a3442585c05abc61e290fc\",\"timestamp\":\"1625677525128\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/swift-frontend\"}", "created": "2021-07-07T17:05:25.128Z", "kind": "state", @@ -3809,11 +3854,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffc4044541995bffd84b9df003", "address": "208.15.11.8", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.15.11.8" + "ip": "208.15.11.8", + "serial_number": "ffffffffc4044541995bffd84b9df003", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:48.523Z", "file": { @@ -3838,7 +3884,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460633200Z", + "ingested": "2021-11-22T09:23:55.465739400Z", "original": "{\"event_simpleName\":\"PdfFileWritten\",\"ContextTimeStamp\":\"1625677488.523\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364156540965623394\",\"ContextThreadId\":\"0\",\"aip\":\"208.15.11.8\",\"FileIdentifier\":\"05000001000000000000000000000000f1321d0000000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"PdfFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-8903-022a1941b91f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffc4044541995bffd84b9df003\",\"timestamp\":\"1625677488576\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/pt/s9pzbbwd07q_0fxqvfhc513r0000gp/T/com.microsoft.Excel/Content.MSO/mso6ACABA95\"}", "created": "2021-07-07T17:04:48.576Z", "kind": "event", @@ -3880,11 +3926,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "address": "208.165.30.176", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.165.30.176" + "ip": "208.165.30.176", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:38.379Z", "ecs": { @@ -3906,7 +3953,7 @@ }, "event": { "action": "GroupIdentity", - "ingested": "2021-08-13T09:21:37.460641600Z", + "ingested": "2021-11-22T09:23:55.465746100Z", "original": "{\"event_simpleName\":\"GroupIdentity\",\"GID\":\"242\",\"AuthenticationUuidAsString\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"ConfigStateHash\":\"3967242894\",\"aip\":\"208.165.30.176\",\"AuthenticationId\":\"1119489580471877843\",\"UserPrincipal\":\"user2@dom1\",\"UserSid\":\"S-1-5-21-3852557355-3178143607-2040168074-1485\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"GroupIdentityMacV2\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"AuthenticationUuid\":\"ABCDEFAB-CDEF-ABCD-EFAB-CDEF000000F2\",\"timestamp\":\"1625677478379\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-9dc2-029257dbe83b", "created": "2021-07-07T17:04:38.379Z" @@ -3957,11 +4004,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "address": "208.165.30.176", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.165.30.176" + "ip": "208.165.30.176", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T01:50:11.845Z", "file": { @@ -3992,7 +4040,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460653Z", + "ingested": "2021-11-22T09:23:55.465752900Z", "original": "{\"event_simpleName\":\"MachOFileWritten\",\"ContextTimeStamp\":\"1625622611.845\",\"ConfigStateHash\":\"3967242894\",\"MachOSubType\":\"3\",\"ContextProcessId\":\"364938429384226082\",\"Size\":\"0\",\"ContextThreadId\":\"0\",\"aip\":\"208.165.30.176\",\"SHA256HashData\":\"c0f50d27fe9fb31e33d1ce6577eeb4d4e17639095ad20575da018d1fcf955198\",\"FileIdentifier\":\"04000001000000000000000000000000ac41270400000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"MachOFileWrittenMacV3\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"timestamp\":\"1625677479336\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/bf/dwpvdj3d1tq00l8fgs5rd7x00000gn/T/.net.example.desktop.ev80yl\"}", "created": "2021-07-07T17:04:39.336Z", "kind": "event", @@ -4053,11 +4101,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff44564c2f8d76394cb25c31ab", "address": "208.165.30.176", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.165.30.176" + "ip": "208.165.30.176", + "serial_number": "ffffffff44564c2f8d76394cb25c31ab", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T01:50:08.014Z", "ecs": { @@ -4077,7 +4126,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460661800Z", + "ingested": "2021-11-22T09:23:55.465759600Z", "original": "{\"event_simpleName\":\"NetworkListenIP6\",\"ContextTimeStamp\":\"1625622608.014\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"ConfigStateHash\":\"3967242894\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"364938390018585510\",\"RemotePort\":\"0\",\"aip\":\"208.165.30.176\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LocalPort\":\"8770\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP6MacV10\",\"id\":\"ffffffff-1111-11eb-9dc2-029257dbe83b\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff44564c2f8d76394cb25c31ab\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677478929\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:38.929Z", "kind": "event", @@ -4115,11 +4164,12 @@ "lat": 37.7852 } }, - "serial_number": "ffffffff62714a708030d494ca0a7e60", "address": "208.87.57.118", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.87.57.118" + "ip": "208.87.57.118", + "serial_number": "ffffffff62714a708030d494ca0a7e60", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:02.693Z", "os": { @@ -4140,7 +4190,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460670200Z", + "ingested": "2021-11-22T09:23:55.465766300Z", "original": "{\"event_simpleName\":\"CurrentSystemTags\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"208.87.57.118\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"SystemTableIndex\":\"0\",\"Entitlements\":\"15\",\"name\":\"CurrentSystemTagsMacV1\",\"id\":\"ffffffff-1111-11eb-b88d-06b7cb0d7bd7\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff62714a708030d494ca0a7e60\",\"Tags\":\"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\",\"timestamp\":\"1625677502693\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:02.693Z", "kind": "state", @@ -4316,11 +4366,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff28414c2293e35c360213e723", "address": "208.24.116.10", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.24.116.10" + "ip": "208.24.116.10", + "serial_number": "ffffffff28414c2293e35c360213e723", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:33.027Z", "file": { @@ -4349,7 +4400,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460678500Z", + "ingested": "2021-11-22T09:23:55.465773100Z", "original": "{\"event_simpleName\":\"NewExecutableWritten\",\"ContextTimeStamp\":\"1625677533.027\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"362208380891022165\",\"Size\":\"596224\",\"ContextThreadId\":\"0\",\"aip\":\"208.24.116.10\",\"SHA256HashData\":\"70a06a11057efb22285a7200a53e5b6bae001fe0a98d4b23d0f6a31ad818a005\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NewExecutableWrittenMacV2\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677533060\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.CVG7Ya/Zoom.app/Contents/MacOS/app_mode_loader\",\"VnodeModificationType\":\"0\"}", "created": "2021-07-07T17:05:33.060Z", "kind": "event", @@ -4392,11 +4443,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffffbea48169985c2c2bae89d1d", "address": "208.137.65.223", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.137.65.223" + "ip": "208.137.65.223", + "serial_number": "fffffffffbea48169985c2c2bae89d1d", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:03:48.827Z", "file": { @@ -4422,7 +4474,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460686900Z", + "ingested": "2021-11-22T09:23:55.465779900Z", "original": "{\"event_simpleName\":\"LfoUploadDataComplete\",\"LfoUploadFlags\":\"4\",\"AttemptNumber\":\"0\",\"ConfigStateHash\":\"3090255842\",\"SourceFileName\":\"/Users/user5/.rbenv/versions/2.6.5/bin/ruby\",\"Size\":\"3876424\",\"aip\":\"208.137.65.223\",\"SHA256HashData\":\"d7b56e2a06304ecd343985a1aaedff2eb32ee1151bba0e152aff97c778b7562a\",\"UploadId\":\"8023668629276690295\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LfoUploadDataCompleteMacV3\",\"id\":\"ffffffff-1111-11eb-a2ab-024aafff599f\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffffbea48169985c2c2bae89d1d\",\"Tags\":\"312, 11544872091698, 21990232555653, 21990232555859, 26388279066700, 26388279066703, 26388279066704, 26388279066705, 26388279066708, 26388279066849, 26388279066855, 26388279066948, 26388279066958, 26388279066970, 26388279067150, 26388279067174, 26388279067175, 26405458935929, 26405458935963, 26405458935964, 26405458936063, 26405458936087, 26405458936088, 26405458936130, 26405458936163, 26405458936164, 26405458936166, 26405458936167, 26405458936242, 26405458936306, 26405458936307, 26405458936357, 26405458936510, 26405458936511, 26405458936522, 26405458936523, 26422638805193, 26422638805230, 26422638805244, 26422638805245, 26422638805246, 26439818674539, 26439818674540, 26439818674541, 26439818674542, 26439818674543, 26439818674544, 26439818674614, 26439818674615, 26439818674616, 26439818674617, 26439818674678, 26439818674679, 26439818674680, 26439818674882, 26439818674883, 26439818674884, 26439818674894, 26439818674895, 26439818674896, 26456998543646, 26456998543647, 26456998543648, 26456998543649, 26456998543650, 26456998543651, 26456998543652, 26456998543653, 26456998543654, 26456998543656, 26456998543721, 26456998543722, 26456998543744, 26456998543793, 26456998543811, 26456998543903, 26456998543904, 26456998543950, 26456998543963, 26456998544000, 26456998544045, 26456998544086, 26456998544087, 26456998544115, 30803505447073, 30803505447074, 30803505447075, 30803505447076, 30803505447077, 30803505447078, 30803505447194, 30803505447195, 30803505447196, 30803505447528, 30803505447529, 30803505447530, 30803505447532, 30803505447533, 30803505447534, 30803505447537, 30803505447538, 30803505447539, 30803505447541, 30803505447542, 30803505447543, 30803505447567, 30803505447568, 30803505447569, 30803505447571, 30803505447572, 30803505447573, 30803505447575, 30803505447576, 30803505447577, 30803505447579, 30803505447580, 30803505447581, 30803505447583, 30803505447584\",\"timestamp\":\"1625677428827\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:48.827Z", "kind": "event", @@ -4582,11 +4634,12 @@ "lat": 41.8719 } }, - "serial_number": "ffffffffd452449b8d1eb7d85b146650", "address": "208.100.38.84", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.100.38.84" + "ip": "208.100.38.84", + "serial_number": "ffffffffd452449b8d1eb7d85b146650", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:13.146Z", "os": { @@ -4608,7 +4661,7 @@ }, "event": { "action": "LightningLatencyInfo", - "ingested": "2021-08-13T09:21:37.460695200Z", + "ingested": "2021-11-22T09:23:55.465786600Z", "original": "{\"event_simpleName\":\"LightningLatencyInfo\",\"LightningLatencyState\":\"3\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"208.100.38.84\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LightningLatencyInfoMacV1\",\"id\":\"ffffffff-1111-11eb-b44e-069a02b0ad6b\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffffd452449b8d1eb7d85b146650\",\"timestamp\":\"1625677453146\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "id": "ffffffff-1111-11eb-b44e-069a02b0ad6b", "created": "2021-07-07T17:04:13.146Z" @@ -4639,11 +4692,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff8eb649cf8d82be1e65629a0e", "address": "208.93.56.66", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.93.56.66" + "ip": "208.93.56.66", + "serial_number": "ffffffff8eb649cf8d82be1e65629a0e", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:10.083Z", "os": { @@ -4664,7 +4718,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460703600Z", + "ingested": "2021-11-22T09:23:55.465793300Z", "original": "{\"event_simpleName\":\"NeighborListIP4\",\"ConfigStateHash\":\"1620585913\",\"NeighborList\":\"40-C7-29-FF-FF-FF|192.168.2.1|1|64-9A-BE-FF-FF-FF|192.168.2.10|0|F0-FF-FF-FF-A0-14|192.168.2.43|0|DE-58-FF-FF-5D-3B|192.168.2.113|0|5E-AA-FF-FF-FF-20|192.168.2.128|0|44-FF-FF-FF-03-DD|192.168.2.136|0|EE-74-EE-EE-FF-0D|192.168.2.137|0|3A-FF-FF-FF-03-26|192.168.2.144|0|DE-79-FF-FF-FF-D4|192.168.2.145|0|0E-24-FF-EE-EE-87|192.168.2.152|0|CC-D9-AC-AF-66-F8|192.168.2.153|0|\",\"aip\":\"208.93.56.66\",\"InterfaceIndex\":\"6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NeighborListIP4MacV1\",\"id\":\"ffffffff-1111-11eb-9dc0-06c6f5278873\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff8eb649cf8d82be1e65629a0e\",\"timestamp\":\"1625677450083\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:10.083Z", "kind": "state", @@ -4758,11 +4812,12 @@ "lat": 34.7721 } }, - "serial_number": "ffffffff2d984e32b702789b54f0f811", "address": "208.70.175.112", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.70.175.112" + "ip": "208.70.175.112", + "serial_number": "ffffffff2d984e32b702789b54f0f811", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:14.557Z", "file": { @@ -4788,7 +4843,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460711800Z", + "ingested": "2021-11-22T09:23:55.465800Z", "original": "{\"event_simpleName\":\"ZipFileWritten\",\"ContextTimeStamp\":\"1625677454.557\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365039419134863763\",\"ContextThreadId\":\"0\",\"aip\":\"208.70.175.112\",\"FileIdentifier\":\"07000001000000000000000000000000b1445a0900000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ZipFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-ab6e-0668ec51180b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff2d984e32b702789b54f0f811\",\"timestamp\":\"1625677454723\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user6/Library/Developer/CoreSimulator/Devices/BCE6B46B-E863-4151-AA9D-D71C79438C47/data/Containers/Data/Application/1249A061-F246-4338-AE56-4373E918C9B4/Library/Application Support/com.instacart.instashopper/LogCache/2021-07-06T23:44:46.133Z.zip\"}", "created": "2021-07-07T17:04:14.723Z", "kind": "event", @@ -4833,11 +4888,12 @@ "lat": 38.4203 } }, - "serial_number": "ffffffffbea440b9aad8b5bf222d303f", "address": "208.180.129.90", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.180.129.90" + "ip": "208.180.129.90", + "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "type": "agent", + "version": "6.24.13701.0" }, "@timestamp": "2021-07-07T17:04:05.731Z", "file": { @@ -4864,7 +4920,7 @@ "hostname": "comp2" }, "event": { - "ingested": "2021-08-13T09:21:37.460720400Z", + "ingested": "2021-11-22T09:23:55.465806700Z", "original": "{\"AgentVersion\":\"6.24.13701.0\",\"aip\":\"208.180.129.90\",\"ConfigIDBase\":\"65994753\",\"BiosReleaseDate\":\"01/06/2021\",\"CpuFeaturesMask\":\"7494065083858915\",\"ChasisManufacturer\":\"Apple Inc.\",\"SystemSerialNumber\":\"C02F649EMD6R\",\"event_platform\":\"Mac\",\"AgentLoadFlags\":\"0\",\"CpuVendor\":\"0\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"BiosVersion\":\"1554.80.3.0.0 (iBridge: 18.16.14347.0.0,0)\",\"CpuSignature\":\"591594\",\"EffectiveTransmissionClass\":\"0\",\"MoboProductName\":\"Mac-E1008331FDC96864\",\"timestamp\":\"1625677460451\",\"MicrocodeSignature\":\"16045690984229358334\",\"event_simpleName\":\"AgentOnline\",\"ContextTimeStamp\":\"1625677445.731\",\"SystemProductName\":\"MacBookPro16,1\",\"MoboManufacturer\":\"Apple Inc.\",\"ConfigStateHash\":\"3967242894\",\"ConfigBuild\":\"1007.4.0013701.1\",\"SystemSku\":\" \",\"SensorGroupingTags\":\"\",\"ConfigurationVersion\":\"10\",\"AgentLocalTime\":\"1625677445.731\",\"BiosManufacturer\":\"Apple Inc.\",\"Entitlements\":\"15\",\"name\":\"AgentOnlineMacV13\",\"ConfigIDPlatform\":\"4\",\"ComputerName\":\"comp2\",\"ChassisType\":\"9\",\"ConfigIDBuild\":\"13701\",\"SystemManufacturer\":\"Apple Inc.\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"ProvisionState\":\"1\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"Zero\"}", "created": "2021-07-07T17:04:20.451Z", "kind": "state", @@ -4883,7 +4939,6 @@ "outcome": "success" }, "crowdstrike": { - "AgentVersion": "6.24.13701.0", "ConfigIDBase": "65994753", "BiosReleaseDate": "01/06/2021", "CpuFeaturesMask": "7494065083858915", @@ -4899,6 +4954,7 @@ "SystemProductName": "MacBookPro16,1", "MoboManufacturer": "Apple Inc.", "ConfigStateHash": "3967242894", + "ConfigBuild": "1007.4.0013701.1", "SystemSku": " ", "ConfigurationVersion": "10", "AgentLocalTime": "2021-07-07T17:04:05.731Z", @@ -4939,11 +4995,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", "address": "208.93.153.49", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.93.153.49" + "ip": "208.93.153.49", + "serial_number": "ffffffff8eca418b7a861be9c5f7de1d", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:03:58.515Z", "file": { @@ -4968,7 +5025,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460728600Z", + "ingested": "2021-11-22T09:23:55.465813500Z", "original": "{\"event_simpleName\":\"CriticalFileAccessed\",\"ContextTimeStamp\":\"1625677438.515\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365053399098988534\",\"ContextThreadId\":\"0\",\"aip\":\"208.93.153.49\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"event_platform\":\"Mac\",\"UnixMode\":\"384\",\"Entitlements\":\"15\",\"name\":\"CriticalFileAccessedMacV1\",\"id\":\"ffffffff-1111-11eb-956a-02748d01bd3d\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff8eca418b7a861be9c5f7de1d\",\"timestamp\":\"1625677438553\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/dslocal/nodes/Default/users/daemon.plist\"}", "created": "2021-07-07T17:03:58.553Z", "kind": "alert", @@ -5011,11 +5068,12 @@ "lat": 38.4203 } }, - "serial_number": "ffffffffbea440b9aad8b5bf222d303f", "address": "208.180.129.90", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.180.129.90" + "ip": "208.180.129.90", + "serial_number": "ffffffffbea440b9aad8b5bf222d303f", + "type": "agent", + "version": "6.24.13701.0" }, "@timestamp": "2021-07-07T17:04:22.356Z", "os": { @@ -5037,7 +5095,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460736900Z", + "ingested": "2021-11-22T09:23:55.465820200Z", "original": "{\"MajorVersion\":\"19\",\"event_simpleName\":\"OsVersionInfo\",\"OSVersionFileData\":\"3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a\",\"ConfigStateHash\":\"3967242894\",\"AgentVersion\":\"6.24.13701.0\",\"aip\":\"208.180.129.90\",\"MinorVersion\":\"6\",\"OSVersionString\":\"Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"OsVersionInfoMacV3\",\"RFMState\":\"0\",\"id\":\"ffffffff-1111-11eb-b3de-06a53f021cc9\",\"OSVersionFileName\":\"/System/Library/CoreServices/SystemVersion.plist\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffbea440b9aad8b5bf222d303f\",\"timestamp\":\"1625677462356\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:22.356Z", "kind": "event", @@ -5053,9 +5111,9 @@ }, "crowdstrike": { "MajorVersion": "19", + "ConfigBuild": "1007.4.0013701.1", "OSVersionFileData": "3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e50726f647563744275696c6456657273696f6e3c2f6b65793e0a093c737472696e673e3139483532343c2f737472696e673e0a093c6b65793e50726f64756374436f707972696768743c2f6b65793e0a093c737472696e673e313938332d32303231204170706c6520496e632e3c2f737472696e673e0a093c6b65793e50726f647563744e616d653c2f6b65793e0a093c737472696e673e4d6163204f5320583c2f737472696e673e0a093c6b65793e50726f647563745573657256697369626c6556657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e50726f6475637456657273696f6e3c2f6b65793e0a093c737472696e673e31302e31352e373c2f737472696e673e0a093c6b65793e694f53537570706f727456657273696f6e3c2f6b65793e0a093c737472696e673e31332e363c2f737472696e673e0a3c2f646963743e0a3c2f706c6973743e0a", "ConfigStateHash": "3967242894", - "AgentVersion": "6.24.13701.0", "Entitlements": "15", "name": "OsVersionInfoMacV3", "MinorVersion": "6", @@ -5082,11 +5140,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff4f4044b689d6420d303e4ecd", "address": "208.233.129.250", - "version": "1007.8.0010912.1", "vendor": "crowdstrike", - "ip": "208.233.129.250" + "ip": "208.233.129.250", + "serial_number": "ffffffff4f4044b689d6420d303e4ecd", + "type": "agent", + "version": "1007.8.0010912.1" }, "@timestamp": "2021-07-07T17:03:56.454Z", "os": { @@ -5107,7 +5166,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460745400Z", + "ingested": "2021-11-22T09:23:55.465826900Z", "original": "{\"ConfigBuild\":\"1007.8.0010912.1\",\"event_simpleName\":\"ConfigStateUpdate\",\"event_platform\":\"Lin\",\"ConfigStateHash\":\"1284133626\",\"ConfigStateData\":\"0,0,1007.8.0010912.1|1,c,0|1,10,1|1,11,0|1,12,1|1,13,1|1,14,19|1,15,3|1,1f,4|1,22,3|1,3b,1|1,59,2d|1,d3,263|1,d4,0|1,eb,36|1,201,1|2,0,a8000000032,140000000085,18000000004c,18000000004f,180000000054,18000000022a,180000000248,180000000279,18000000027a,1800000002b4,180400000079,180400000225,180c00000133,180c00000285,181000000128,181000000180,18100000021f,181000000220,181000000280,1c0400000205|\",\"name\":\"ConfigStateUpdateLinV1\",\"aip\":\"208.233.129.250\",\"id\":\"ffffffff-1111-11eb-8e88-068a8894a447\",\"aid\":\"ffffffff4f4044b689d6420d303e4ecd\",\"timestamp\":\"1625677436454\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:56.454Z", "kind": "event", @@ -5185,11 +5244,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff88b948c6abeeee910f6d8c33", "address": "208.203.151.21", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.203.151.21" + "ip": "208.203.151.21", + "serial_number": "ffffffff88b948c6abeeee910f6d8c33", + "type": "agent", + "version": "1007.8.0011611.1" }, "@timestamp": "2021-07-07T17:02:45.906Z", "file": { @@ -5211,7 +5271,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460753700Z", + "ingested": "2021-11-22T09:23:55.465833700Z", "original": "{\"event_simpleName\":\"LFODownloadConfirmation\",\"ConfigStateHash\":\"1333055909\",\"aip\":\"208.203.151.21\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"DownloadPath\":\"/osfm/linux/bde98295e6e5fa4c6ba2acfebc2e9943c836bf2223aebb8b29e03c44df43cb53\",\"DownloadPort\":\"443\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"LFODownloadConfirmationLinV1\",\"CompletionEventId\":\"Event_KmaExtDownloadCompleteLinV1\",\"id\":\"ffffffff-1111-11eb-8dee-0201f64cca29\",\"aid\":\"ffffffff88b948c6abeeee910f6d8c33\",\"timestamp\":\"1625677365906\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"KernelModuleArchiveExt11611\"}", "created": "2021-07-07T17:02:45.906Z", "kind": "event", @@ -5259,11 +5319,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffe6244708bd09a6c111f63f4a", "address": "208.23.66.52", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.23.66.52" + "ip": "208.23.66.52", + "serial_number": "ffffffffe6244708bd09a6c111f63f4a", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:33.633Z", "file": { @@ -5289,7 +5350,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460762100Z", + "ingested": "2021-11-22T09:23:55.465840400Z", "original": "{\"event_simpleName\":\"TarFileWritten\",\"ContextTimeStamp\":\"1625677353.633\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"365049009681176519\",\"ContextThreadId\":\"0\",\"aip\":\"208.23.66.52\",\"FileIdentifier\":\"050000010000000000000000000000005749420100000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"TarFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-9497-028a0bfcf603\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffe6244708bd09a6c111f63f4a\",\"timestamp\":\"1625677353895\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user7/.rbenv/versions/2.6.6/lib/ruby/gems/2.6.0/cache/database_cleaner-1.8.5.gem\"}", "created": "2021-07-07T17:02:33.895Z", "kind": "event", @@ -5322,11 +5383,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff2977460db2898ece881a9358", "address": "208.42.18.78", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.42.18.78" + "ip": "208.42.18.78", + "serial_number": "ffffffff2977460db2898ece881a9358", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:30.466Z", "os": { @@ -5347,7 +5409,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460770300Z", + "ingested": "2021-11-22T09:23:55.465847Z", "original": "{\"event_simpleName\":\"AgentConnect\",\"ConfigStateHash\":\"3967242894\",\"NetworkContainmentState\":\"0\",\"VerifiedCertificate\":\"7431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf\",\"aip\":\"208.42.18.78\",\"ConfigIDBase\":\"65994753\",\"FailedConnectCount\":\"404\",\"ConnectType\":\"1\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"ConfigurationVersion\":\"10\",\"Entitlements\":\"15\",\"name\":\"AgentConnectMacV5\",\"ConfigIDPlatform\":\"4\",\"PreviousConnectTime\":\"1625673963.331\",\"id\":\"ffffffff-1111-11eb-ba54-02a3616f6acd\",\"ConfigIDBuild\":\"13701\",\"ConnectTime\":\"1625677350.208\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff2977460db2898ece881a9358\",\"ProvisionState\":\"0\",\"timestamp\":\"1625677350466\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:02:30.466Z", "kind": "event", @@ -5422,11 +5484,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff5e8b4724aa10088c4f71cd9a", "address": "208.25.66.51", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.25.66.51" + "ip": "208.25.66.51", + "serial_number": "ffffffff5e8b4724aa10088c4f71cd9a", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:25.235Z", "file": { @@ -5448,7 +5511,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460778800Z", + "ingested": "2021-11-22T09:23:55.465853700Z", "original": "{\"event_simpleName\":\"LFODownloadConfirmation\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"208.25.66.51\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"DownloadPath\":\"metahash+/cfs/channelfiles/0000000503/66d5e9ea15754bcfb5f9152ec7ac90ac/C-00000503-00000000-00000001.sys\",\"DownloadPort\":\"443\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"LFODownloadConfirmationMacV1\",\"CompletionEventId\":\"Event_ChannelDataDownloadCompleteMacV1\",\"id\":\"ffffffff-1111-11eb-8b09-069ee8920171\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff5e8b4724aa10088c4f71cd9a\",\"timestamp\":\"1625677525235\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"C-00000503-00000000-00000001.sys\"}", "created": "2021-07-07T17:05:25.235Z", "kind": "event", @@ -5498,11 +5561,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffff1a64286a233d09974b1b377", "address": "208.140.108.235", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.140.108.235" + "ip": "208.140.108.235", + "serial_number": "fffffffff1a64286a233d09974b1b377", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:42.148Z", "file": { @@ -5526,7 +5590,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460787200Z", + "ingested": "2021-11-22T09:23:55.465860500Z", "original": "{\"event_simpleName\":\"AsepFileChange\",\"ContextTimeStamp\":\"1625677482.148\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"364936256754041721\",\"ContextThreadId\":\"0\",\"aip\":\"208.140.108.235\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"AsepFileChangeMacV1\",\"id\":\"ffffffff-1111-11eb-9e50-064be6e56df7\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"fffffffff1a64286a233d09974b1b377\",\"timestamp\":\"1625677482403\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/System/Library/AssetsV2/com_apple_MobileAsset_MacSoftwareUpdate/5968e4faeba359dd5270ac282340cc4bd94d348c.asset/AssetData/payloadv2/ecc_data/System/Library/Spotlight/SystemPrefs.mdimporter/Contents/MacOS/SystemPrefs\",\"VnodeModificationType\":\"6\"}", "created": "2021-07-07T17:04:42.403Z", "kind": "event", @@ -5577,11 +5641,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffdd094539a02b394c69a70aaf", "address": "208.194.125.248", - "version": "1007.8.0010912.1", "vendor": "crowdstrike", - "ip": "208.194.125.248" + "ip": "208.194.125.248", + "serial_number": "ffffffffdd094539a02b394c69a70aaf", + "type": "agent", + "version": "1007.8.0010912.1" }, "@timestamp": "2021-07-07T17:05:10.959Z", "ecs": { @@ -5599,7 +5664,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460795500Z", + "ingested": "2021-11-22T09:23:55.465867300Z", "original": "{\"event_simpleName\":\"TerminateProcess\",\"RawProcessId\":\"76482\",\"ContextTimeStamp\":\"1625677510.959\",\"ConfigStateHash\":\"1284133626\",\"ContextProcessId\":\"130732827553316\",\"ContextThreadId\":\"0\",\"aip\":\"208.194.125.248\",\"ConfigBuild\":\"1007.8.0010912.1\",\"event_platform\":\"Lin\",\"TargetProcessId\":\"130732827553316\",\"Entitlements\":\"15\",\"name\":\"TerminateProcessLinV2\",\"id\":\"ffffffff-1111-11eb-97d0-02b2813216eb\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffdd094539a02b394c69a70aaf\",\"timestamp\":\"1625677511067\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:11.067Z", "kind": "event", @@ -5633,11 +5698,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff70cf4070af024397f25007c7", "address": "208.31.114.187", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.31.114.187" + "ip": "208.31.114.187", + "serial_number": "ffffffff70cf4070af024397f25007c7", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:52.544Z", "os": { @@ -5658,7 +5724,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460803800Z", + "ingested": "2021-11-22T09:23:55.465874Z", "original": "{\"ConfigBuild\":\"1007.4.0013701.1\",\"event_simpleName\":\"FirewallEnabled\",\"event_platform\":\"Mac\",\"ConfigStateHash\":\"3090255842\",\"Entitlements\":\"15\",\"name\":\"FirewallEnabledMacV1\",\"aip\":\"208.31.114.187\",\"id\":\"ffffffff-1111-11eb-a9e6-067d21325a03\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff70cf4070af024397f25007c7\",\"timestamp\":\"1625677372544\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:02:52.544Z", "kind": "event", @@ -5701,11 +5767,12 @@ "lat": 42.0973 } }, - "serial_number": "ffffffffed984e248973f3ada1eb543d", "address": "208.105.245.7", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.105.245.7" + "ip": "208.105.245.7", + "serial_number": "ffffffffed984e248973f3ada1eb543d", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:12.283Z", "os": { @@ -5726,7 +5793,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460812200Z", + "ingested": "2021-11-22T09:23:55.465880700Z", "original": "{\"event_simpleName\":\"FsVolumeUnmounted\",\"VolumeName\":\"Install Google Drive\",\"ContextTimeStamp\":\"1625677332.283\",\"ConfigStateHash\":\"3090255842\",\"aip\":\"208.105.245.7\",\"VolumeMediaBSDName\":\"disk2s2\",\"VolumeMountPoint\":\"/private/tmp/KSInstallAction.dn6J5Xa1M4/m\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"FsVolumeUnmountedMacV1\",\"id\":\"ffffffff-1111-11eb-8fd9-06866dcbd3d5\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffed984e248973f3ada1eb543d\",\"timestamp\":\"1625677334451\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"VolumeIsNetwork\":\"0\"}", "created": "2021-07-07T17:02:14.451Z", "kind": "event", @@ -5796,11 +5863,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff2a0d484da8f7a9cf8bde7164", "address": "208.231.69.37", - "version": "1007.8.0011308.1", "vendor": "crowdstrike", - "ip": "208.231.69.37" + "ip": "208.231.69.37", + "serial_number": "ffffffff2a0d484da8f7a9cf8bde7164", + "type": "agent", + "version": "1007.8.0011308.1" }, "@timestamp": "2021-07-07T17:04:34.525Z", "ecs": { @@ -5820,7 +5888,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460820800Z", + "ingested": "2021-11-22T09:23:55.465887400Z", "original": "{\"LocalAddressIP4\":\"0.0.0.0\",\"event_simpleName\":\"NetworkListenIP4\",\"ContextTimeStamp\":\"1625677474.525\",\"ConfigStateHash\":\"2300098580\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"328911864662804336\",\"RemotePort\":\"0\",\"aip\":\"208.231.69.37\",\"ConfigBuild\":\"1007.8.0011308.1\",\"event_platform\":\"Lin\",\"LocalPort\":\"23165\",\"Entitlements\":\"15\",\"name\":\"NetworkListenIP4LinV5\",\"id\":\"ffffffff-1111-11eb-88fd-06a17d0fdc05\",\"Protocol\":\"6\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff2a0d484da8f7a9cf8bde7164\",\"RemoteAddressIP4\":\"0.0.0.0\",\"ConnectionDirection\":\"2\",\"InContext\":\"0\",\"timestamp\":\"1625677474879\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:34.879Z", "kind": "event", @@ -5870,11 +5938,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff28414c2293e35c360213e723", "address": "208.24.116.10", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.24.116.10" + "ip": "208.24.116.10", + "serial_number": "ffffffff28414c2293e35c360213e723", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:26.828Z", "file": { @@ -5906,7 +5975,7 @@ }, "event": { "action": "ELFFileWritten", - "ingested": "2021-08-13T09:21:37.460829Z", + "ingested": "2021-11-22T09:23:55.465894200Z", "original": "{\"event_simpleName\":\"ELFFileWritten\",\"ContextTimeStamp\":\"1625677526.828\",\"ConfigStateHash\":\"1620585913\",\"ContextProcessId\":\"363122200934575406\",\"Size\":\"38798952\",\"ContextThreadId\":\"0\",\"aip\":\"208.24.116.10\",\"SHA256HashData\":\"35e590a61d32b72651b0cd23594d04f4671d79a843106136cf6abc324cc19027\",\"FileIdentifier\":\"040000010000000000000000000000006793f80200000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"ELFFileWrittenMacV1\",\"id\":\"ffffffff-1111-11eb-985c-02152dd35bc1\",\"ELFSubType\":\"4\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff28414c2293e35c360213e723\",\"timestamp\":\"1625677527114\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/folders/3c/z7j1h7dx3nz3xkl10c1vyxgh0000gp/T/.com.google.Chrome.M2zGjQ/_platform_specific/x86-64/zoom_x86_64.nexe\"}", "id": "ffffffff-1111-11eb-985c-02152dd35bc1", "created": "2021-07-07T17:05:27.114Z" @@ -5931,11 +6000,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff2d1245c0a32d5efcf9351272", "address": "208.203.151.21", - "version": "1007.8.0011611.1", "vendor": "crowdstrike", - "ip": "208.203.151.21" + "ip": "208.203.151.21", + "serial_number": "ffffffff2d1245c0a32d5efcf9351272", + "type": "agent", + "version": "6.19.11611.0" }, "@timestamp": "2021-07-07T17:03:03.466Z", "os": { @@ -5957,7 +6027,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460837300Z", + "ingested": "2021-11-22T09:23:55.465900900Z", "original": "{\"MajorVersion\":\"4\",\"event_simpleName\":\"OsVersionInfo\",\"OSVersionFileData\":\"4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a\",\"BootArgs\":\"BOOT_IMAGE\\u003d/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64 root\\u003dUUID\\u003d9f548782-8f9f-4dd9-873a-436ea8f3e8a6 ro console\\u003dtty0 console\\u003dttyS0,115200n8 net.ifnames\\u003d0 biosdevname\\u003d0 nvme_core.io_timeout\\u003d4294967295 rd.emergency\\u003dpoweroff rd.shell\\u003d0\",\"ConfigStateHash\":\"3712162471\",\"AgentVersion\":\"6.19.11611.0\",\"aip\":\"208.203.151.21\",\"MinorVersion\":\"14\",\"OSVersionString\":\"Linux localhost 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64\",\"ConfigBuild\":\"1007.8.0011611.1\",\"event_platform\":\"Lin\",\"name\":\"OsVersionInfoLinV4\",\"RFMState\":\"1\",\"id\":\"ffffffff-1111-11eb-93d4-0624c36f3a79\",\"OSVersionFileName\":\"/etc/os-release\",\"aid\":\"ffffffff2d1245c0a32d5efcf9351272\",\"timestamp\":\"1625677383466\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:03.466Z", "kind": "event", @@ -5973,6 +6043,7 @@ }, "crowdstrike": { "MajorVersion": "4", + "ConfigBuild": "1007.8.0011611.1", "OSVersionFileData": "4e414d453d22416d617a6f6e204c696e7578220a56455253494f4e3d2232220a49443d22616d7a6e220a49445f4c494b453d2263656e746f73207268656c206665646f7261220a56455253494f4e5f49443d2232220a5052455454595f4e414d453d22416d617a6f6e204c696e75782032220a414e53495f434f4c4f523d22303b3333220a4350455f4e414d453d226370653a322e333a6f3a616d617a6f6e3a616d617a6f6e5f6c696e75783a32220a484f4d455f55524c3d2268747470733a2f2f616d617a6f6e6c696e75782e636f6d2f220a", "BootArgs": [ "BOOT_IMAGE=/boot/vmlinuz-4.14.232-176.381.amzn2.x86_64", @@ -5987,7 +6058,6 @@ "rd.shell=0" ], "ConfigStateHash": "3712162471", - "AgentVersion": "6.19.11611.0", "name": "OsVersionInfoLinV4", "MinorVersion": "14", "RFMState": "1", @@ -6027,11 +6097,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff761b4a7d9962dd9e7e776044", "address": "208.216.154.14", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.216.154.14" + "ip": "208.216.154.14", + "serial_number": "ffffffff761b4a7d9962dd9e7e776044", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:03:59.099Z", "file": { @@ -6056,7 +6127,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460845600Z", + "ingested": "2021-11-22T09:23:55.465907500Z", "original": "{\"event_simpleName\":\"CriticalFileModified\",\"ContextTimeStamp\":\"1625677439.099\",\"GID\":\"0\",\"ConfigStateHash\":\"3090255842\",\"ContextProcessId\":\"364849347227309005\",\"ContextThreadId\":\"0\",\"aip\":\"208.216.154.14\",\"FileIdentifier\":\"04000001000000000000000000000000cdf3100100000000\",\"ConfigBuild\":\"1007.4.0013701.1\",\"UID\":\"0\",\"USN\":\"89566685\",\"event_platform\":\"Mac\",\"UnixMode\":\"384\",\"Entitlements\":\"15\",\"name\":\"CriticalFileModifiedMacV2\",\"id\":\"ffffffff-1111-11eb-9262-0268ab613b49\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffff761b4a7d9962dd9e7e776044\",\"timestamp\":\"1625677439398\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/private/var/db/dslocal/nodes/Default/users/user9.plist/\"}", "created": "2021-07-07T17:03:59.398Z", "kind": "alert", @@ -6097,11 +6168,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff01c7450180352a7c58a28fb4", "address": "208.230.229.237", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.230.229.237" + "ip": "208.230.229.237", + "serial_number": "ffffffff01c7450180352a7c58a28fb4", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:04:49.786Z", "os": { @@ -6122,7 +6194,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460853900Z", + "ingested": "2021-11-22T09:23:55.465914300Z", "original": "{\"event_simpleName\":\"NeighborListIP6\",\"ConfigStateHash\":\"3090255842\",\"NeighborList\":\"1C-AB-C0-9B-10-A2|2607:fea8:720:1bc8:1eab:c0ff:fe9b:10a2|0|\",\"aip\":\"208.230.229.237\",\"InterfaceIndex\":\"6\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"Entitlements\":\"15\",\"name\":\"NeighborListIP6MacV1\",\"id\":\"ffffffff-1111-11eb-ac8a-06b5e1186139\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"ffffffff01c7450180352a7c58a28fb4\",\"timestamp\":\"1625677489786\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:04:49.786Z", "kind": "state", @@ -6186,11 +6258,12 @@ "lat": 36.165 } }, - "serial_number": "ffffffffcebd42c0890d59b54279d3d3", "address": "208.182.203.47", - "version": "1007.4.0013806.1", "vendor": "crowdstrike", - "ip": "208.182.203.47" + "ip": "208.182.203.47", + "serial_number": "ffffffffcebd42c0890d59b54279d3d3", + "type": "agent", + "version": "1007.4.0013806.1" }, "@timestamp": "2021-07-07T17:03:02.785Z", "file": { @@ -6221,7 +6294,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460862100Z", + "ingested": "2021-11-22T09:23:55.465920900Z", "original": "{\"event_simpleName\":\"NewScriptWritten\",\"ContextTimeStamp\":\"1625677382.785\",\"UserName\":\"user3\",\"ConfigStateHash\":\"1325353086\",\"ContextProcessId\":\"364952259879648742\",\"Size\":\"8052\",\"ContextThreadId\":\"0\",\"aip\":\"208.182.203.47\",\"SHA256HashData\":\"359fd6e9a46f605d491225325125502ca6ba99a73ac3141f59af96627f128fc6\",\"FileIdentifier\":\"04000001000000000000000000000000ef07570000000000\",\"ConfigBuild\":\"1007.4.0013806.1\",\"event_platform\":\"Mac\",\"IsOnRemovableDisk\":\"0\",\"Entitlements\":\"15\",\"name\":\"NewScriptWrittenMacV3\",\"id\":\"ffffffff-1111-11eb-9dc1-029257dbe83b\",\"EffectiveTransmissionClass\":\"2\",\"aid\":\"ffffffffcebd42c0890d59b54279d3d3\",\"timestamp\":\"1625677383057\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"TargetFileName\":\"/Users/user3/git/it_eng_scripts/depnotify_starter/dep_notify_starter.sh\"}", "created": "2021-07-07T17:03:03.057Z", "kind": "event", @@ -6258,11 +6331,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffff2c7432859ff6bbe1a0bd6af", "address": "208.145.211.220", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.145.211.220" + "ip": "208.145.211.220", + "serial_number": "fffffffff2c7432859ff6bbe1a0bd6af", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:03:07.216Z", "os": { @@ -6283,7 +6357,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460870300Z", + "ingested": "2021-11-22T09:23:55.465927600Z", "original": "{\"event_simpleName\":\"SystemCapacity\",\"ConfigStateHash\":\"1620585913\",\"aip\":\"208.145.211.220\",\"CpuClockSpeed\":\"2400000000\",\"PhysicalCoreCount\":\"8\",\"CpuFeaturesMask\":\"7494065083908067\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"LogicalCoreCount\":\"16\",\"Entitlements\":\"15\",\"name\":\"SystemCapacityMacV1\",\"CpuVendor\":\"0\",\"CpuProcessorName\":\"Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz\",\"id\":\"ffffffff-1111-11eb-b714-066001392751\",\"CpuSignature\":\"591597\",\"EffectiveTransmissionClass\":\"3\",\"aid\":\"fffffffff2c7432859ff6bbe1a0bd6af\",\"ProcessorPackageCount\":\"1\",\"MemoryTotal\":\"17179869184\",\"timestamp\":\"1625677387216\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:03:07.216Z", "kind": "state", @@ -6334,11 +6408,12 @@ "lat": 39.6343 } }, - "serial_number": "ffffffff0d7b4d839912e55b4755e85b", "address": "208.71.69.91", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.71.69.91" + "ip": "208.71.69.91", + "serial_number": "ffffffff0d7b4d839912e55b4755e85b", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:02:48.429Z", "os": { @@ -6359,7 +6434,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460878900Z", + "ingested": "2021-11-22T09:23:55.465934800Z", "original": "{\"event_simpleName\":\"FirmwareAnalysisStatus\",\"ConfigStateHash\":\"3090255842\",\"FirmwareAnalysisEclControlInterfaceVersion\":\"0\",\"aip\":\"208.71.69.91\",\"ConfigBuild\":\"1007.4.0013701.1\",\"event_platform\":\"Mac\",\"FirmwareAnalysisEclConsumerInterfaceVersion\":\"0\",\"BootTimeFunctionalityLevel\":\"255\",\"ReasonOfFunctionalityLevel\":\"3\",\"CurrentFunctionalityLevel\":\"2\",\"Entitlements\":\"15\",\"name\":\"FirmwareAnalysisStatusMacV2\",\"id\":\"ffffffff-1111-11eb-ba57-0214a0d89bf7\",\"EffectiveTransmissionClass\":\"0\",\"aid\":\"ffffffff0d7b4d839912e55b4755e85b\",\"timestamp\":\"1625677368429\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\",\"PciAttachmentState\":\"65535\"}", "created": "2021-07-07T17:02:48.429Z", "kind": "state", @@ -6435,11 +6510,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff557f4b99a0afdea9ce8cd6fa", "address": "208.160.204.13", - "version": "1007.4.0013701.1", "vendor": "crowdstrike", - "ip": "208.160.204.13" + "ip": "208.160.204.13", + "serial_number": "ffffffff557f4b99a0afdea9ce8cd6fa", + "type": "agent", + "version": "1007.4.0013701.1" }, "@timestamp": "2021-07-07T17:05:04.544Z", "ecs": { @@ -6459,7 +6535,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460887300Z", + "ingested": "2021-11-22T09:23:55.465941600Z", "original": "{\"OutOctets\":\"0\",\"CreationTimeStamp\":\"\",\"aip\":\"208.160.204.13\",\"OutMulticastPkts\":\"0\",\"InErrors\":\"0\",\"InterfaceAlias\":\"utun2\",\"InDiscards\":\"0\",\"InterfaceIndex\":\"17\",\"event_platform\":\"Mac\",\"InterfaceType\":\"1\",\"id\":\"ffffffff-1111-11eb-a272-0294ad12fbe7\",\"PhysicalAddressLength\":\"0\",\"InUcastPkts\":\"0\",\"EffectiveTransmissionClass\":\"2\",\"timestamp\":\"1625677504544\",\"LocalAddressIP4\":\"208.27.234.231\",\"event_simpleName\":\"LocalIpAddressIP4\",\"ConfigStateHash\":\"3090255842\",\"PhysicalAddress\":\"\",\"OutErrors\":\"0\",\"InUnknownProtos\":\"0\",\"OutUcastPkts\":\"0\",\"InMulticastPkts\":\"0\",\"ConfigBuild\":\"1007.4.0013701.1\",\"InOctets\":\"0\",\"NetLuidIndex\":\"2\",\"Entitlements\":\"15\",\"name\":\"LocalIpAddressIP4MacV1\",\"aid\":\"ffffffff557f4b99a0afdea9ce8cd6fa\",\"cid\":\"ffffffff15754bcfb5f9152ec7ac90ac\"}", "created": "2021-07-07T17:05:04.544Z", "kind": "state", @@ -6539,11 +6615,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff70d140ca9ba97f0dddd14137", "address": "208.216.134.209", - "version": "1007.8.0009806.1", "vendor": "crowdstrike", - "ip": "208.216.134.209" + "ip": "208.216.134.209", + "serial_number": "ffffffff70d140ca9ba97f0dddd14137", + "type": "agent", + "version": "1007.8.0009806.1" }, "@timestamp": "2020-11-08T17:04:59.681Z", "ecs": { @@ -6563,7 +6640,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460895700Z", + "ingested": "2021-11-22T09:23:55.465948300Z", "original": "{\"CommandLine\":\"uname -a\",\"ConfigBuild\":\"1007.8.0009806.1\",\"ConfigStateHash\":\"4288861242\",\"Entitlements\":\"15\",\"GID\":\"0\",\"ImageFileName\":\"/bin/uname\",\"MD5HashData\":\"894356eb59e279696c304f07091b7fde\",\"NDRoot\":\"321385814512398584\",\"ParentProcessId\":\"321385814512398584\",\"ProcessEndTime\":\"1604855099.126\",\"ProcessGroupId\":\"0\",\"ProcessStartTime\":\"1604855099.126\",\"RGID\":\"0\",\"RUID\":\"0\",\"RawProcessId\":\"51342\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"de80fe0bd06a96543aaec5c634b08cbfc58dba88ea3a66871434a0dd3a9e9dfa\",\"SVGID\":\"0\",\"SVUID\":\"0\",\"SessionProcessId\":\"314116638974342642\",\"SourceProcessId\":\"321385814512398584\",\"SourceThreadId\":\"0\",\"TargetProcessId\":\"321385814512398605\",\"UID\":\"0\",\"aid\":\"ffffffff70d140ca9ba97f0dddd14137\",\"aip\":\"208.216.134.209\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Lin\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-ac87-06decddc17a1\",\"name\":\"ProcessRollup2LinV5\",\"timestamp\":\"1604855099681\"}", "created": "2020-11-08T17:04:59.681Z", "kind": "event", @@ -6628,11 +6705,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff75fc48f15cfe5f095e605c4c", "address": "208.3.106.158", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "208.3.106.158" + "ip": "208.3.106.158", + "serial_number": "ffffffff75fc48f15cfe5f095e605c4c", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:04:56.730Z", "ecs": { @@ -6651,7 +6729,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460903900Z", + "ingested": "2021-11-22T09:23:55.465954900Z", "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ContextProcessId\":\"317713210176499254\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855096.730\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"28987\",\"SHA256HashData\":\"6de76ab470a16b2a825d223b996d994623473c694c60fccbb71af8691e61c5e0\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"317713210176499254\",\"aid\":\"ffffffff75fc48f15cfe5f095e605c4c\",\"aip\":\"208.3.106.158\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-809e-02fff4e55a49\",\"name\":\"EndOfProcessMacV14\",\"timestamp\":\"1604855099646\"}", "created": "2020-11-08T17:04:59.646Z", "kind": "event", @@ -6722,11 +6800,12 @@ }, "country_iso_code": "CO" }, - "serial_number": "ffffffffb5db4b2e7ec89aba537adcc2", "address": "208.9.60.157", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.9.60.157" + "ip": "208.9.60.157", + "serial_number": "ffffffffb5db4b2e7ec89aba537adcc2", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:04:57.926Z", "ecs": { @@ -6745,7 +6824,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460912400Z", + "ingested": "2021-11-22T09:23:55.465961700Z", "original": "{\"AllocateVirtualMemoryCount\":\"0\",\"ArchiveFileWrittenCount\":\"0\",\"AsepWrittenCount\":\"0\",\"BinaryExecutableWrittenCount\":\"0\",\"CLICreationCount\":\"0\",\"ConHostId\":\"38188\",\"ConHostProcessId\":\"3099352216141\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextData\":\"\",\"ContextProcessId\":\"3100508103359\",\"ContextThreadId\":\"93436292950223\",\"ContextTimeStamp\":\"1604855097.926\",\"CreateProcessCount\":\"0\",\"CycleTime\":\"2937514388\",\"DirectoryCreatedCount\":\"0\",\"DirectoryEnumeratedCount\":\"1\",\"DnsRequestCount\":\"0\",\"DocumentFileWrittenCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ExeAndServiceCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"ExitCode\":\"0\",\"FileDeletedCount\":\"2\",\"GenericFileWrittenCount\":\"0\",\"ImageSubsystem\":\"3\",\"InjectedDllCount\":\"0\",\"InjectedThreadCount\":\"0\",\"KernelTime\":\"7500000\",\"MaxThreadCount\":\"4\",\"ModuleLoadCount\":\"38\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkConnectCountUdp\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkModuleLoadCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"ParentProcessId\":\"3099350649383\",\"PrivilegedProcessHandleCount\":\"0\",\"ProcessStartTime\":\"1604855096.463\",\"ProtectVirtualMemoryCount\":\"0\",\"QueueApcCount\":\"0\",\"RawProcessId\":\"33016\",\"RegKeySecurityDecreasedCount\":\"0\",\"RemovableDiskFileWrittenCount\":\"0\",\"RunDllInvocationCount\":\"0\",\"SHA256HashData\":\"faceb6f5d1cdc5ad50a4a1b92c4cd3fcdabcf7e8d418014a1b1221c1defa3d8f\",\"ScreenshotsTakenCount\":\"0\",\"ScriptEngineInvocationCount\":\"0\",\"ServiceEventCount\":\"0\",\"SetThreadContextCount\":\"0\",\"SnapshotFileOpenCount\":\"0\",\"SuspectStackCount\":\"0\",\"SuspiciousCredentialModuleLoadCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"SuspiciousFontLoadCount\":\"0\",\"SuspiciousRawDiskReadCount\":\"0\",\"TargetProcessId\":\"3100508103359\",\"UnsignedModuleLoadCount\":\"0\",\"UserMemoryAllocateExecutableCount\":\"0\",\"UserMemoryAllocateExecutableRemoteCount\":\"0\",\"UserMemoryProtectExecutableCount\":\"0\",\"UserMemoryProtectExecutableRemoteCount\":\"0\",\"UserSid\":\"S-1-5-18\",\"UserTime\":\"6406250\",\"aid\":\"ffffffffb5db4b2e7ec89aba537adcc2\",\"aip\":\"208.9.60.157\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-8726-063418e4a9e7\",\"name\":\"EndOfProcessV15\",\"timestamp\":\"1604855099935\"}", "created": "2020-11-08T17:04:59.935Z", "kind": "event", @@ -6855,11 +6934,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", "address": "208.14.207.30", - "version": "1007.4.0009304.1", "vendor": "crowdstrike", - "ip": "208.14.207.30" + "ip": "208.14.207.30", + "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", + "type": "agent", + "version": "1007.4.0009304.1" }, "@timestamp": "2020-11-08T17:05:01.341Z", "ecs": { @@ -6878,7 +6958,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460920700Z", + "ingested": "2021-11-22T09:23:55.465968400Z", "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0009304.1\",\"ConfigStateHash\":\"3344040805\",\"ContextProcessId\":\"311775981885093125\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855101.341\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"10507\",\"SHA256HashData\":\"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"311775981885093125\",\"aid\":\"ffffffff1aa0482a5ea94f64e08e7b15\",\"aip\":\"208.14.207.30\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-bc03-065126dd0691\",\"name\":\"EndOfProcessMacV12\",\"timestamp\":\"1604855100139\"}", "created": "2020-11-08T17:05:00.139Z", "kind": "event", @@ -6954,11 +7034,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff3a5a424fa02450da53619745", "address": "208.216.142.127", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.142.127" + "ip": "208.216.142.127", + "serial_number": "ffffffff3a5a424fa02450da53619745", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:00.030Z", "ecs": { @@ -6978,7 +7059,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460929Z", + "ingested": "2021-11-22T09:23:55.465975100Z", "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"D:\\\\projects\\\\splunk-forwarder\\\\bin\\\\splunk-powershell.exe --ps2\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume2\\\\projects\\\\splunk-forwarder\\\\bin\\\\splunk-powershell.exe\",\"ImageSubsystem\":\"3\",\"IntegrityLevel\":\"16384\",\"MD5HashData\":\"571391f723a439e985a2064337e2802a\",\"ParentAuthenticationId\":\"999\",\"ParentBaseFileName\":\"splunkd.exe\",\"ParentProcessId\":\"17346335177\",\"ProcessCreateFlags\":\"67634688\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"24577\",\"ProcessStartTime\":\"1604855099.406\",\"ProcessSxsFlags\":\"64\",\"RawProcessId\":\"6116\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"7f326aad0ee45bfef93daede5597d70422d472084ae3295762654fb5021a8720\",\"SessionId\":\"0\",\"SourceProcessId\":\"17346335177\",\"SourceThreadId\":\"107650023406\",\"Tags\":\"27, 151, 12094627905582, 12094627906234\",\"TargetProcessId\":\"583707537390\",\"TokenType\":\"1\",\"UserSid\":\"S-1-5-18\",\"WindowFlags\":\"384\",\"aid\":\"ffffffff3a5a424fa02450da53619745\",\"aip\":\"208.216.142.127\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-a09e-06f79d630255\",\"name\":\"ProcessRollup2V17\",\"timestamp\":\"1604855100030\"}", "created": "2020-11-08T17:05:00.030Z", "kind": "event", @@ -7053,11 +7134,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff4f1444bab96568879cb43556", "address": "208.216.144.255", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.144.255" + "ip": "208.216.144.255", + "serial_number": "ffffffff4f1444bab96568879cb43556", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:04:55.961Z", "ecs": { @@ -7075,7 +7157,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460937300Z", + "ingested": "2021-11-22T09:23:55.465981800Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2784638081\",\"ContextProcessId\":\"259090530891\",\"ContextThreadId\":\"16409623709004\",\"ContextTimeStamp\":\"1604855095.961\",\"DnsRequestCount\":\"1\",\"DomainName\":\"comp1.dom2\",\"DualRequest\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InterfaceIndex\":\"0\",\"RequestType\":\"1\",\"aid\":\"ffffffff4f1444bab96568879cb43556\",\"aip\":\"208.216.144.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"DnsRequest\",\"id\":\"ffffffff-1111-11eb-8077-0606f7dcf2ed\",\"name\":\"DnsRequestV3\",\"timestamp\":\"1604855099913\"}", "created": "2020-11-08T17:04:59.913Z", "kind": "event", @@ -7126,11 +7208,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff32ba43a483e76c6f0a4aa26f", "address": "208.216.150.197", - "version": "1007.8.0009806.1", "vendor": "crowdstrike", - "ip": "208.216.150.197" + "ip": "208.216.150.197", + "serial_number": "ffffffff32ba43a483e76c6f0a4aa26f", + "type": "agent", + "version": "1007.8.0009806.1" }, "@timestamp": "2020-11-08T17:05:01.645Z", "file": { @@ -7154,7 +7237,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460945700Z", + "ingested": "2021-11-22T09:23:55.465991100Z", "original": "{\"ConfigBuild\":\"1007.8.0009806.1\",\"ConfigStateHash\":\"4288861242\",\"ContextProcessId\":\"321385820045701199\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855101.645\",\"Entitlements\":\"15\",\"GID\":\"0\",\"TargetFileName\":\"/etc/shadow\",\"UID\":\"0\",\"UnixMode\":\"32768\",\"aid\":\"ffffffff32ba43a483e76c6f0a4aa26f\",\"aip\":\"208.216.150.197\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Lin\",\"event_simpleName\":\"CriticalFileAccessed\",\"id\":\"ffffffff-1111-11eb-b70d-027f9ced2001\",\"name\":\"CriticalFileAccessedLinV1\",\"timestamp\":\"1604855102247\"}", "created": "2020-11-08T17:05:02.247Z", "kind": "alert", @@ -7189,7 +7272,6 @@ "-convert", "xml1", "-o", - "-", "/Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist" ], "parent": { @@ -7226,11 +7308,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", "address": "208.14.207.30", - "version": "1007.4.0009304.1", "vendor": "crowdstrike", - "ip": "208.14.207.30" + "ip": "208.14.207.30", + "serial_number": "ffffffff1aa0482a5ea94f64e08e7b15", + "type": "agent", + "version": "1007.4.0009304.1" }, "@timestamp": "2020-11-08T17:05:09.180Z", "ecs": { @@ -7250,7 +7333,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460954200Z", + "ingested": "2021-11-22T09:23:55.465998200Z", "original": "{\"CommandLine\":\"/usr/bin/plutil -convert xml1 -o - /Applications/Xcode.app/Contents/Developer/Platforms/AppleTVOS.platform/Developer/Library/CoreSimulator/Profiles/Runtimes/tvOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/DiagnosticExtensions.framework/PlugIns/com.apple.DiagnosticExtensions.CrashLogs.appex/Info.plist\",\"ConfigBuild\":\"1007.4.0009304.1\",\"ConfigStateHash\":\"3344040805\",\"Entitlements\":\"15\",\"GID\":\"0\",\"ImageFileName\":\"/usr/bin/plutil\",\"MD5HashData\":\"d51cef1b288e2032aee9805deff04bfd\",\"MachOSubType\":\"1\",\"ParentProcessId\":\"311774817965726568\",\"ProcessEndTime\":\"\",\"ProcessGroupId\":\"311774817965726568\",\"ProcessStartTime\":\"1604855111.240\",\"RGID\":\"0\",\"RUID\":\"0\",\"RawProcessId\":\"10692\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"3b00897e1eb587c5f77e3866ff6bdc80f5e70f839543242e0ee5a1581014adc3\",\"SVGID\":\"0\",\"SVUID\":\"0\",\"SourceProcessId\":\"311776004953765502\",\"SourceThreadId\":\"0\",\"Tags\":\"27, 12094627905582, 12094627906234\",\"TargetProcessId\":\"311776004953765502\",\"UID\":\"0\",\"aid\":\"ffffffff1aa0482a5ea94f64e08e7b15\",\"aip\":\"208.14.207.30\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-bc03-065126dd0691\",\"name\":\"ProcessRollup2MacV3\",\"timestamp\":\"1604855109180\"}", "created": "2020-11-08T17:05:09.180Z", "kind": "event", @@ -7315,11 +7398,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff8f1e4b77b4dae5debaa1c8bc", "address": "208.216.150.210", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.150.210" + "ip": "208.216.150.210", + "serial_number": "ffffffff8f1e4b77b4dae5debaa1c8bc", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:14.133Z", "file": { @@ -7345,7 +7429,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460962500Z", + "ingested": "2021-11-22T09:23:55.466005Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3899738370\",\"ContextProcessId\":\"1546527409909\",\"ContextThreadId\":\"4711690090889\",\"ContextTimeStamp\":\"1604855114.133\",\"DesiredAccess\":\"1180054\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"501ee2c32e53fb43b07f419f3236fb45c29e000000002c00\",\"FileObject\":\"18446655033844205120\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"88080484\",\"ShareAccess\":\"1\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\Temp\\\\__PSScriptPolicyTest_dvkjnbka.apn.ps1\",\"aid\":\"ffffffff8f1e4b77b4dae5debaa1c8bc\",\"aip\":\"208.216.150.210\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewScriptWritten\",\"id\":\"ffffffff-1111-11eb-80b5-06e11a66e03d\",\"name\":\"NewScriptWrittenV7\",\"timestamp\":\"1604855114427\"}", "created": "2020-11-08T17:05:14.427Z", "kind": "event", @@ -7434,11 +7518,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffd4094240a6b1d12aaf304f4f", "address": "208.216.150.211", - "version": "1007.4.0012205.1", "vendor": "crowdstrike", - "ip": "208.216.150.211" + "ip": "208.216.150.211", + "serial_number": "ffffffffd4094240a6b1d12aaf304f4f", + "type": "agent", + "version": "1007.4.0012205.1" }, "@timestamp": "2020-11-08T17:05:16.421Z", "ecs": { @@ -7460,7 +7545,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460971Z", + "ingested": "2021-11-22T09:23:55.466011700Z", "original": "{\"ConfigBuild\":\"1007.4.0012205.1\",\"ConfigStateHash\":\"1306766522\",\"ConnectionDirection\":\"1\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321275232072440993\",\"ContextTimeStamp\":\"1604855116.421\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"0.0.0.0\",\"LocalPort\":\"0\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"208.72.48.107\",\"RemotePort\":\"443\",\"aid\":\"ffffffffd4094240a6b1d12aaf304f4f\",\"aip\":\"208.216.150.211\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkConnectIP4\",\"id\":\"ffffffff-1111-11eb-aca9-02683aed2a0d\",\"name\":\"NetworkConnectIP4MacV5\",\"timestamp\":\"1604855116502\"}", "created": "2020-11-08T17:05:16.502Z", "kind": "event", @@ -7553,11 +7638,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffff000426eb99afaa2ccdcbc17", "address": "208.216.150.194", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.150.194" + "ip": "208.216.150.194", + "serial_number": "fffffffff000426eb99afaa2ccdcbc17", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:16.849Z", "ecs": { @@ -7579,7 +7665,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460979300Z", + "ingested": "2021-11-22T09:23:55.466018500Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2602391615\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"223442259384\",\"ContextTimeStamp\":\"1604855116.849\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"208.22.254.101\",\"LocalPort\":\"53961\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"208.91.140.216\",\"RemotePort\":\"443\",\"aid\":\"fffffffff000426eb99afaa2ccdcbc17\",\"aip\":\"208.216.150.194\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkConnectIP4\",\"id\":\"ffffffff-1111-11eb-b0eb-06be7616c211\",\"name\":\"NetworkConnectIP4V5\",\"timestamp\":\"1604855116942\"}", "created": "2020-11-08T17:05:16.942Z", "kind": "event", @@ -7630,11 +7716,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff8d2e4b4f9b21b40633a8d579", "address": "208.216.128.255", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.128.255" + "ip": "208.216.128.255", + "serial_number": "ffffffff8d2e4b4f9b21b40633a8d579", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:04:51.781Z", "ecs": { @@ -7646,8 +7733,7 @@ "user4" ], "hosts": [ - "208.216.128.255", - "-" + "208.216.128.255" ], "hash": [ "3011122681" @@ -7657,7 +7743,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460987600Z", + "ingested": "2021-11-22T09:23:55.466025200Z", "original": "{\"AuthenticationId\":\"6580764513\",\"AuthenticationPackage\":\"Negotiate\",\"ClientComputerName\":\"-\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"816054990879\",\"ContextThreadId\":\"52913017705957\",\"ContextTimeStamp\":\"1604855091.781\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonDomain\":\"NT AUTHORITY\",\"LogonServer\":\"\",\"LogonTime\":\"1604855091.781\",\"LogonType\":\"9\",\"PasswordLastSet\":\"\",\"RemoteAccount\":\"1\",\"UserFlags\":\"0\",\"UserIsAdmin\":\"0\",\"UserLogonFlags\":\"12\",\"UserName\":\"SYSTEM\",\"UserPrincipal\":\"user4@dom2\",\"UserSid\":\"S-1-5-18\",\"aid\":\"ffffffff8d2e4b4f9b21b40633a8d579\",\"aip\":\"208.216.128.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogon\",\"id\":\"ffffffff-1111-11eb-a8cf-0649c95cfa1d\",\"name\":\"UserLogonV8\",\"timestamp\":\"1604855121077\"}", "created": "2020-11-08T17:05:21.077Z", "kind": "event", @@ -7679,7 +7765,6 @@ "RemoteAccount": "1", "AuthenticationPackage": "Negotiate", "AuthenticationId": "6580764513", - "ClientComputerName": "-", "UserFlags": "0", "Entitlements": "15", "name": "UserLogonV8", @@ -7721,11 +7806,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff2c47454cba360bc404a607bb", "address": "208.216.144.255", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.144.255" + "ip": "208.216.144.255", + "serial_number": "ffffffff2c47454cba360bc404a607bb", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:20.785Z", "file": { @@ -7757,7 +7843,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.460996Z", + "ingested": "2021-11-22T09:23:55.466032Z", "original": "{\"AuthenticationId\":\"2007206396\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"4415814628770\",\"ContextThreadId\":\"41392001729898\",\"ContextTimeStamp\":\"1604855120.785\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_1000\\u0026DEV_0054\\u0026SUBSYS_197615AD\\u0026REV_01\\\\4\\u00261f16fef7\\u00260\\u002600A8\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"b57cb59769dfe71180b4806e6f6e6963ea8902000000cb2c\",\"FileObject\":\"18446708893089967904\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"0\",\"IsTransactedFile\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"SHA256HashData\":\"d0e1b81f3f3f18256f6447703624019eaee9b1068b3f09323eced4f547cc4182\",\"Size\":\"6144\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume2\\\\Users\\\\user10\\\\AppData\\\\Local\\\\Temp\\\\ec1ijefl.dll\",\"TokenType\":\"1\",\"aid\":\"ffffffff2c47454cba360bc404a607bb\",\"aip\":\"208.216.144.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"PeFileWritten\",\"id\":\"ffffffff-1111-11eb-b091-06f6cca0a049\",\"name\":\"PeFileWrittenV14\",\"timestamp\":\"1604855121109\"}", "created": "2020-11-08T17:05:21.109Z", "kind": "event", @@ -7810,11 +7896,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffe0104823bd3de859d5bc8bc7", "address": "208.216.134.211", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.134.211" + "ip": "208.216.134.211", + "serial_number": "ffffffffe0104823bd3de859d5bc8bc7", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:34.461Z", "ecs": { @@ -7837,7 +7924,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461004400Z", + "ingested": "2021-11-22T09:23:55.466038700Z", "original": "{\"AuthenticationId\":\"317005428\",\"AuthenticationPackage\":\"Negotiate\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3950066843\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogoffTime\":\"1604855132.756\",\"LogonDomain\":\"dom1\",\"LogonServer\":\"srv2\",\"LogonTime\":\"1604855131.666\",\"LogonType\":\"7\",\"PasswordLastSet\":\"1598119332.510\",\"RemoteAccount\":\"1\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogoffType\":\"3\",\"UserLogonFlags\":\"0\",\"UserName\":\"user4\",\"UserPrincipal\":\"user.name@dom2.com\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-28636\",\"aid\":\"ffffffffe0104823bd3de859d5bc8bc7\",\"aip\":\"208.216.134.211\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogoff\",\"id\":\"ffffffff-1111-11eb-8913-0287fd11c79b\",\"name\":\"UserLogoffV3\",\"timestamp\":\"1604855134461\"}", "created": "2020-11-08T17:05:34.461Z", "kind": "event", @@ -7904,11 +7991,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff425942f58382dbb11350eeda", "address": "208.216.150.192", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.150.192" + "ip": "208.216.150.192", + "serial_number": "ffffffff425942f58382dbb11350eeda", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:03:45.966Z", "file": { @@ -7934,7 +8022,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461012800Z", + "ingested": "2021-11-22T09:23:55.466045400Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"537307300\",\"ContextProcessId\":\"635780922149\",\"ContextThreadId\":\"9479299143023\",\"ContextTimeStamp\":\"1604855025.966\",\"DesiredAccess\":\"1180054\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"128\",\"FileIdentifier\":\"0e02a8c7ed9d244887cef0409af0e6190030000000001100\",\"FileObject\":\"18446695174291796544\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"83886176\",\"ShareAccess\":\"3\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume4\\\\Program Files\\\\Snow Software\\\\Inventory\\\\Agent\\\\cloudmeteringhost.exe\",\"aid\":\"ffffffff425942f58382dbb11350eeda\",\"aip\":\"208.216.150.192\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewExecutableWritten\",\"id\":\"ffffffff-1111-11eb-93cb-067deb43537b\",\"name\":\"NewExecutableWrittenV1\",\"timestamp\":\"1604855149643\"}", "created": "2020-11-08T17:05:49.643Z", "kind": "event", @@ -8008,11 +8096,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffa51b4acf9dbc1fc273e6145c", "address": "208.222.216.124", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.222.216.124" + "ip": "208.222.216.124", + "serial_number": "ffffffffa51b4acf9dbc1fc273e6145c", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:50.066Z", "ecs": { @@ -8034,7 +8123,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461021100Z", + "ingested": "2021-11-22T09:23:55.466052100Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ConnectionDirection\":\"2\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"50714198593318\",\"ContextThreadId\":\"194302491825207\",\"ContextTimeStamp\":\"1604855150.066\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"127.0.0.1\",\"LocalPort\":\"59491\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"0.0.0.0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffa51b4acf9dbc1fc273e6145c\",\"aip\":\"208.222.216.124\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkListenIP4\",\"id\":\"ffffffff-1111-11eb-8726-063418e4a9e7\",\"name\":\"NetworkListenIP4V5\",\"timestamp\":\"1604855150545\"}", "created": "2020-11-08T17:05:50.545Z", "kind": "event", @@ -8107,11 +8196,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffd8844a59acce5e1f4ad01888", "address": "208.216.128.255", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.128.255" + "ip": "208.216.128.255", + "serial_number": "ffffffffd8844a59acce5e1f4ad01888", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:52.993Z", "ecs": { @@ -8135,7 +8225,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461029600Z", + "ingested": "2021-11-22T09:23:55.466058700Z", "original": "{\"ClientComputerName\":\"com1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"7073822473144\",\"ContextThreadId\":\"48689911139327\",\"ContextTimeStamp\":\"1604855152.993\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"EtwRawProcessId\":\"744\",\"EtwRawThreadId\":\"5304\",\"LogonDomain\":\"BROADCAST\",\"LogonType\":\"3\",\"RemoteAddressIP4\":\"208.80.28.100\",\"Status\":\"3221225581\",\"SubStatus\":\"3221225578\",\"UserName\":\"user5\",\"aid\":\"ffffffffd8844a59acce5e1f4ad01888\",\"aip\":\"208.216.128.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogonFailed2\",\"id\":\"ffffffff-1111-11eb-a8aa-067029dffccb\",\"name\":\"UserLogonFailed2V2\",\"timestamp\":\"1604855154274\"}", "created": "2020-11-08T17:05:54.274Z", "kind": "event", @@ -8192,11 +8282,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff4a0946365161093453e596d4", "address": "208.216.150.195", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.150.195" + "ip": "208.216.150.195", + "serial_number": "ffffffff4a0946365161093453e596d4", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:51.534Z", "file": { @@ -8222,7 +8313,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461038100Z", + "ingested": "2021-11-22T09:23:55.466065400Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextProcessId\":\"1838383212125\",\"ContextThreadId\":\"27242382481217\",\"ContextTimeStamp\":\"1604855151.534\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileIdentifier\":\"b0754a8f86feffffb0754a8f86feffff09764a8f86feffff\",\"FileObject\":\"18446636884348143072\",\"IrpFlags\":\"1028\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Program Files\\\\WindowsApps\\\\Deleted\\\\Microsoft.Getstarted_9.10.32461.0_x64__8wekyb3d8bbweacf6b996-01b3-402c-bd01-a67529f94699\\\\clrcompression.dll\",\"aid\":\"ffffffff4a0946365161093453e596d4\",\"aip\":\"208.216.150.195\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ExecutableDeleted\",\"id\":\"ffffffff-1111-11eb-b23b-064dea059649\",\"name\":\"ExecutableDeletedV3\",\"timestamp\":\"1604855154670\"}", "created": "2020-11-08T17:05:54.670Z", "kind": "event", @@ -8279,11 +8370,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffcfe84e8c6a52c4001bd83761", "address": "208.173.124.176", - "version": "1007.4.0009202.1", "vendor": "crowdstrike", - "ip": "208.173.124.176" + "ip": "208.173.124.176", + "serial_number": "ffffffffcfe84e8c6a52c4001bd83761", + "type": "agent", + "version": "1007.4.0009202.1" }, "@timestamp": "2020-11-08T17:05:35.209Z", "ecs": { @@ -8302,7 +8394,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461046500Z", + "ingested": "2021-11-22T09:23:55.466072200Z", "original": "{\"AsepWrittenCount\":\"0\",\"ConfigBuild\":\"1007.4.0009202.1\",\"ConfigStateHash\":\"230795414\",\"ContextProcessId\":\"318137549555284836\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604855135.209\",\"DirectoryCreatedCount\":\"0\",\"DnsRequestCount\":\"0\",\"Entitlements\":\"15\",\"ExecutableDeletedCount\":\"0\",\"FileDeletedCount\":\"0\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"RawProcessId\":\"20195\",\"SHA256HashData\":\"295fbc2356e8605e804f95cb6d6f992335e247dbf11767fe8781e2a7f889978a\",\"SuspectStackCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"TargetProcessId\":\"318137549555284836\",\"aid\":\"ffffffffcfe84e8c6a52c4001bd83761\",\"aip\":\"208.173.124.176\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-ae31-065d76bec0c3\",\"name\":\"EndOfProcessMacV11\",\"timestamp\":\"1604855160047\"}", "created": "2020-11-08T17:06:00.047Z", "kind": "event", @@ -8365,11 +8457,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff80984ea8b49d9a53f590c566", "address": "208.24.76.36", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.24.76.36" + "ip": "208.24.76.36", + "serial_number": "ffffffff80984ea8b49d9a53f590c566", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:11.731Z", "ecs": { @@ -8387,7 +8480,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461054700Z", + "ingested": "2021-11-22T09:23:55.466078900Z", "original": "{\"ApiReturnValue\":\"1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"683078218537\",\"ContextTimeStamp\":\"1604855171.731\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"EtwRawProcessId\":\"19400\",\"EtwRawThreadId\":\"9384\",\"aid\":\"ffffffff80984ea8b49d9a53f590c566\",\"aip\":\"208.24.76.36\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RegisterRawInputDevicesEtw\",\"id\":\"ffffffff-1111-11eb-a570-0685ba2a382f\",\"name\":\"RegisterRawInputDevicesEtwV1\",\"timestamp\":\"1604855173077\"}", "created": "2020-11-08T17:06:13.077Z", "kind": "event", @@ -8445,11 +8538,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffffc94c645268f64fc900213f", "address": "208.64.212.186", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.64.212.186" + "ip": "208.64.212.186", + "serial_number": "ffffffffffc94c645268f64fc900213f", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:14.018Z", "file": { @@ -8471,7 +8565,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461062900Z", + "ingested": "2021-11-22T09:23:55.466085600Z", "original": "{\"CompletionEventId\":\"Event_ChannelDataDownloadCompleteV1\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"DownloadPath\":\"metahash+/cfs/channelfiles/0000000013/b2acba1a30a3407dae27d0503611022d/C-00000013-00000000-00000408.sys\",\"DownloadPort\":\"443\",\"DownloadServer\":\"lfodown01-b.cloudsink.net\",\"EffectiveTransmissionClass\":\"0\",\"Entitlements\":\"15\",\"TargetFileName\":\"C-00000013-00000000-00000408.sys\",\"aid\":\"ffffffffffc94c645268f64fc900213f\",\"aip\":\"208.64.212.186\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"LFODownloadConfirmation\",\"id\":\"ffffffff-1111-11eb-8ab5-0643392fc75d\",\"name\":\"LFODownloadConfirmationV1\",\"timestamp\":\"1604855174018\"}", "created": "2020-11-08T17:06:14.018Z", "kind": "event", @@ -8524,11 +8618,12 @@ "lat": 42.7198 } }, - "serial_number": "ffffffff280b41b956a91e816bd9b9b0", "address": "208.105.150.175", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.105.150.175" + "ip": "208.105.150.175", + "serial_number": "ffffffff280b41b956a91e816bd9b9b0", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:46.590Z", "file": { @@ -8554,7 +8649,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461071200Z", + "ingested": "2021-11-22T09:23:55.466092400Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"2071361595421\",\"ContextThreadId\":\"41650430047375\",\"ContextTimeStamp\":\"1604855146.590\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileIdentifier\":\"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00\",\"FileObject\":\"18446622606546437424\",\"IrpFlags\":\"395312\",\"MajorFunction\":\"6\",\"MinorFunction\":\"0\",\"NewFileIdentifier\":\"4b0121a43dfc1f4ca54eea679ddbcd4eef2103000000ca00\",\"OperationFlags\":\"0\",\"SourceFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\assembly\\\\temp\\\\EKA0UARWWK\\\\Microsoft.WSMan.Management.ni.dll\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\assembly\\\\NativeImages_v4.0.30319_64\\\\Microsoft.We0722664#\\\\c2579d00f9849413b8b7948dd00ac863\\\\Microsoft.WSMan.Management.ni.dll\",\"aid\":\"ffffffff280b41b956a91e816bd9b9b0\",\"aip\":\"208.105.150.175\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NewExecutableRenamed\",\"id\":\"ffffffff-1111-11eb-8162-0663305b686f\",\"name\":\"NewExecutableRenamedV6\",\"timestamp\":\"1604855177513\"}", "created": "2020-11-08T17:06:17.513Z", "kind": "event", @@ -8609,11 +8704,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff2c9f4066b0b5f2f00265503c", "address": "208.216.128.255", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.128.255" + "ip": "208.216.128.255", + "serial_number": "ffffffff2c9f4066b0b5f2f00265503c", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:05.213Z", "file": { @@ -8638,7 +8734,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461079500Z", + "ingested": "2021-11-22T09:23:55.466099100Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"402097454\",\"ContextProcessId\":\"66601077523\",\"ContextThreadId\":\"2500785639062\",\"ContextTimeStamp\":\"1604855165.213\",\"DesiredAccess\":\"1048577\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"128\",\"FileIdentifier\":\"d2f4250ff1ba3b4ca66e123c5269884ca6f8020000002700\",\"FileObject\":\"18446641334185168032\",\"Information\":\"2\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"35668001\",\"ShareAccess\":\"3\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\CbsTemp\\\\30848497_1904507751\\\\FodWU\",\"aid\":\"ffffffff2c9f4066b0b5f2f00265503c\",\"aip\":\"208.216.128.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"DirectoryCreate\",\"id\":\"ffffffff-1111-11eb-9411-06b7c99be087\",\"name\":\"DirectoryCreateV1\",\"timestamp\":\"1604855180332\"}", "created": "2020-11-08T17:06:20.332Z", "kind": "event", @@ -8706,11 +8802,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffffcc4413057adc260e99b0774", "address": "208.9.106.189", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.9.106.189" + "ip": "208.9.106.189", + "serial_number": "fffffffffcc4413057adc260e99b0774", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:36.468Z", "ecs": { @@ -8731,7 +8828,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461087900Z", + "ingested": "2021-11-22T09:23:55.466105900Z", "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k netsvcs -p -s wlidsvc\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3343111420\",\"ContextTimeStamp\":\"1604855196.468\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\",\"InterfaceGuid\":\"367ABB81-9844-35F1-AD32-98F038001003\",\"InterfaceVersion\":\"131072\",\"RpcClientProcessId\":\"949196415400\",\"RpcClientThreadId\":\"44209361549673\",\"RpcNestingLevel\":\"0\",\"RpcOpNum\":\"19\",\"ServiceDisplayName\":\"wlidsvc\",\"TargetProcessId\":\"955370934902\",\"TokenType\":\"1\",\"UserName\":\"user6\",\"aid\":\"fffffffffcc4413057adc260e99b0774\",\"aip\":\"208.9.106.189\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ServiceStarted\",\"id\":\"ffffffff-1111-11eb-9c98-02c501fe7d81\",\"name\":\"ServiceStartedV2\",\"timestamp\":\"1604855196635\"}", "created": "2020-11-08T17:06:36.635Z", "kind": "event", @@ -8802,11 +8899,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffed0f41575620ab9fb25ce105", "address": "208.62.90.250", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "208.62.90.250" + "ip": "208.62.90.250", + "serial_number": "ffffffffed0f41575620ab9fb25ce105", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:06:40.751Z", "ecs": { @@ -8828,7 +8926,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461096100Z", + "ingested": "2021-11-22T09:23:55.466112500Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"203564169\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"319255017313886870\",\"ContextTimeStamp\":\"1604855200.751\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"LocalPort\":\"0\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:1\",\"RemotePort\":\"2181\",\"aid\":\"ffffffffed0f41575620ab9fb25ce105\",\"aip\":\"208.62.90.250\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkConnectIP6\",\"id\":\"ffffffff-1111-11eb-81f1-061cdebbd115\",\"name\":\"NetworkConnectIP6MacV5\",\"timestamp\":\"1604855200836\"}", "created": "2020-11-08T17:06:40.836Z", "kind": "event", @@ -8878,11 +8976,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff73164cfa9656c4caff8a2a38", "address": "208.216.134.209", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.134.209" + "ip": "208.216.134.209", + "serial_number": "ffffffff73164cfa9656c4caff8a2a38", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:52.031Z", "ecs": { @@ -8904,7 +9003,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461104400Z", + "ingested": "2021-11-22T09:23:55.466119300Z", "original": "{\"AuthenticationId\":\"1656178821\",\"AuthenticationPackage\":\"Kerberos\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"30254389526587\",\"ContextThreadId\":\"275230771323179\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonDomain\":\"dom1\",\"LogonId\":\"1656178821\",\"LogonServer\":\"srv1\",\"LogonTime\":\"1604855211.249\",\"LogonType\":\"5\",\"PasswordLastSet\":\"1530626210.104\",\"RemoteAccount\":\"1\",\"SessionId\":\"0\",\"UserCanonical\":\"\",\"UserFlags\":\"32\",\"UserIsAdmin\":\"0\",\"UserLogonFlags\":\"0\",\"UserName\":\"user7\",\"UserPrincipal\":\"user7@dom4.cm\",\"UserSid\":\"S-1-5-21-606747145-1364589140-725345543-183372\",\"aid\":\"ffffffff73164cfa9656c4caff8a2a38\",\"aip\":\"208.216.134.209\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserIdentity\",\"id\":\"ffffffff-1111-11eb-86e3-02db1faa1327\",\"name\":\"UserIdentityV2\",\"timestamp\":\"1604855212031\"}", "created": "2020-11-08T17:06:52.031Z", "kind": "event", @@ -8993,11 +9092,12 @@ "lat": 33.6454 } }, - "serial_number": "ffffffffbe8a46386afe80c5ef64d0b5", "address": "208.65.31.23", - "version": "1007.3.0010609.1", "vendor": "crowdstrike", - "ip": "208.65.31.23" + "ip": "208.65.31.23", + "serial_number": "ffffffffbe8a46386afe80c5ef64d0b5", + "type": "agent", + "version": "1007.3.0010609.1" }, "@timestamp": "2020-11-08T17:07:17.946Z", "ecs": { @@ -9017,7 +9117,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461114800Z", + "ingested": "2021-11-22T09:23:55.466126Z", "original": "{\"AuthenticationId\":\"999\",\"CommandLine\":\"C:\\\\WINDOWS\\\\System32\\\\svchost.exe -k netsvcs -p -s NetSetupSvc\",\"ConfigBuild\":\"1007.3.0010609.1\",\"ConfigStateHash\":\"4193986770\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\svchost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"16384\",\"MD5HashData\":\"8a0a29438052faed8a2532da50455756\",\"ParentAuthenticationId\":\"999\",\"ParentProcessId\":\"2881931477041\",\"ProcessCreateFlags\":\"525324\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"8193\",\"ProcessStartTime\":\"1604842733.215\",\"ProcessSxsFlags\":\"64\",\"RawProcessId\":\"6160\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6\",\"SessionId\":\"0\",\"SourceProcessId\":\"2881931477041\",\"SourceThreadId\":\"70316664105336\",\"Tags\":\"27, 29, 53, 54, 55, 185, 10445360464024, 10445360464025, 10445360464026, 10445360464258, 10445360464273, 10445360464274, 12094627905582, 12094627906234, 211655988347297\",\"TargetProcessId\":\"2882232404222\",\"TokenType\":\"2\",\"UserSid\":\"S-1-5-18\",\"WindowFlags\":\"128\",\"aid\":\"ffffffffbe8a46386afe80c5ef64d0b5\",\"aip\":\"208.65.31.23\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-b4f9-06e3a7e5503b\",\"name\":\"ProcessRollup2V16\",\"timestamp\":\"1604855237946\"}", "created": "2020-11-08T17:07:17.946Z", "kind": "event", @@ -9097,11 +9197,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffac4148947ed68497e89f3308", "address": "208.226.182.36", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.226.182.36" + "ip": "208.226.182.36", + "serial_number": "ffffffffac4148947ed68497e89f3308", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T09:58:32.519Z", "file": { @@ -9127,7 +9228,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461123400Z", + "ingested": "2021-11-22T09:23:55.466132700Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1763245019\",\"ContextProcessId\":\"1016182570608\",\"ContextThreadId\":\"37343520154472\",\"ContextTimeStamp\":\"1604829512.519\",\"DesiredAccess\":\"1179785\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileAttributes\":\"0\",\"FileIdentifier\":\"7a9c1c1610045d45a54bd6643ac12ea767a5020000000c00\",\"FileObject\":\"18446670458156489088\",\"Information\":\"1\",\"IrpFlags\":\"2180\",\"MajorFunction\":\"0\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Options\":\"16777312\",\"ShareAccess\":\"5\",\"Status\":\"0\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user11\\\\Downloads\\\\file.pptx\",\"aid\":\"ffffffffac4148947ed68497e89f3308\",\"aip\":\"208.226.182.36\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"RansomwareOpenFile\",\"id\":\"ffffffff-1111-11eb-9756-06fe7f8f682f\",\"name\":\"RansomwareOpenFileV4\",\"timestamp\":\"1604855242091\"}", "created": "2020-11-08T17:07:22.091Z", "kind": "alert", @@ -9195,11 +9296,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffffdab492a5a20cd0417395a73", "address": "208.216.134.192", - "version": "1007.3.0010609.1", "vendor": "crowdstrike", - "ip": "208.216.134.192" + "ip": "208.216.134.192", + "serial_number": "fffffffffdab492a5a20cd0417395a73", + "type": "agent", + "version": "1007.3.0010609.1" }, "@timestamp": "2020-11-08T17:07:54.377Z", "ecs": { @@ -9218,7 +9320,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461131700Z", + "ingested": "2021-11-22T09:23:55.466139400Z", "original": "{\"AllocateVirtualMemoryCount\":\"0\",\"ArchiveFileWrittenCount\":\"0\",\"AsepWrittenCount\":\"0\",\"BinaryExecutableWrittenCount\":\"0\",\"CLICreationCount\":\"0\",\"ConHostId\":\"13532\",\"ConHostProcessId\":\"1731198143955\",\"ConfigBuild\":\"1007.3.0010609.1\",\"ConfigStateHash\":\"2030177841\",\"ContextData\":\"\",\"ContextProcessId\":\"1741732942772\",\"ContextThreadId\":\"28523520529271\",\"ContextTimeStamp\":\"1604855274.377\",\"CycleTime\":\"473618996\",\"DirectoryCreatedCount\":\"0\",\"DirectoryEnumeratedCount\":\"0\",\"DnsRequestCount\":\"0\",\"DocumentFileWrittenCount\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ExeAndServiceCount\":\"0\",\"ExecutableDeletedCount\":\"0\",\"ExitCode\":\"0\",\"FileDeletedCount\":\"0\",\"GenericFileWrittenCount\":\"0\",\"ImageSubsystem\":\"2\",\"InjectedDllCount\":\"0\",\"InjectedThreadCount\":\"0\",\"KernelTime\":\"1406250\",\"MaxThreadCount\":\"16\",\"ModuleLoadCount\":\"72\",\"NetworkBindCount\":\"0\",\"NetworkCapableAsepWriteCount\":\"0\",\"NetworkCloseCount\":\"0\",\"NetworkConnectCount\":\"0\",\"NetworkConnectCountUdp\":\"0\",\"NetworkListenCount\":\"0\",\"NetworkModuleLoadCount\":\"0\",\"NetworkRecvAcceptCount\":\"0\",\"NewExecutableWrittenCount\":\"0\",\"ParentProcessId\":\"1731198143955\",\"PrivilegedProcessHandleCount\":\"0\",\"ProcessStartTime\":\"1604855154.465\",\"ProtectVirtualMemoryCount\":\"0\",\"QueueApcCount\":\"0\",\"RawProcessId\":\"18176\",\"RegKeySecurityDecreasedCount\":\"0\",\"RemovableDiskFileWrittenCount\":\"0\",\"RunDllInvocationCount\":\"0\",\"SHA256HashData\":\"87419b84f34cdb13f699c0f0803c957e48c27ad83334fcad7bac9ad89c0a466f\",\"ScreenshotsTakenCount\":\"0\",\"ScriptEngineInvocationCount\":\"0\",\"ServiceEventCount\":\"0\",\"SetThreadContextCount\":\"0\",\"SnapshotFileOpenCount\":\"0\",\"SuspectStackCount\":\"0\",\"SuspiciousCredentialModuleLoadCount\":\"0\",\"SuspiciousDnsRequestCount\":\"0\",\"SuspiciousFontLoadCount\":\"0\",\"SuspiciousRawDiskReadCount\":\"0\",\"TargetProcessId\":\"1741732942772\",\"UnsignedModuleLoadCount\":\"0\",\"UserMemoryAllocateExecutableCount\":\"0\",\"UserMemoryAllocateExecutableRemoteCount\":\"0\",\"UserMemoryProtectExecutableCount\":\"0\",\"UserMemoryProtectExecutableRemoteCount\":\"0\",\"UserSid\":\"S-1-12-1-1647509123-1308660782-3901357462-3999411581\",\"UserTime\":\"781250\",\"aid\":\"fffffffffdab492a5a20cd0417395a73\",\"aip\":\"208.216.134.192\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"EndOfProcess\",\"id\":\"ffffffff-1111-11eb-b685-0241eaddc553\",\"name\":\"EndOfProcessV14\",\"timestamp\":\"1604855276657\"}", "created": "2020-11-08T17:07:56.657Z", "kind": "event", @@ -9323,11 +9425,12 @@ }, "country_iso_code": "US" }, - "serial_number": "fffffffffa474d216472f3edb73c75ed", "address": "208.216.134.214", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.134.214" + "ip": "208.216.134.214", + "serial_number": "fffffffffa474d216472f3edb73c75ed", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:08:37.892Z", "file": { @@ -9354,7 +9457,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461140Z", + "ingested": "2021-11-22T09:23:55.466146100Z", "original": "{\"AuthenticationId\":\"895027\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"1786917081743\",\"ContextThreadId\":\"31685015444484\",\"ContextTimeStamp\":\"1604855317.892\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"0000000000000000be341bb58bc5f1f2a24339010200510e\",\"FileObject\":\"18446636933702558240\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"1\",\"IsOnRemovableDisk\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"223989\",\"TargetFileName\":\"\\\\Device\\\\Mup\\\\intranet.dev\\\\int\\\\Test.pptx\",\"TokenType\":\"1\",\"aid\":\"fffffffffa474d216472f3edb73c75ed\",\"aip\":\"208.216.134.214\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"OoxmlFileWritten\",\"id\":\"ffffffff-1111-11eb-9165-067ee18a7975\",\"name\":\"OoxmlFileWrittenV11\",\"timestamp\":\"1604855329571\"}", "created": "2020-11-08T17:08:49.571Z", "kind": "event", @@ -9427,11 +9530,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff1f924e228a807ea4c0f21b0b", "address": "208.222.208.124", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.222.208.124" + "ip": "208.222.208.124", + "serial_number": "ffffffff1f924e228a807ea4c0f21b0b", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:09:11.158Z", "ecs": { @@ -9453,7 +9557,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461148400Z", + "ingested": "2021-11-22T09:23:55.466153400Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ConnectionDirection\":\"2\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"439029805661\",\"ContextThreadId\":\"273683743193497\",\"ContextTimeStamp\":\"1604855351.158\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"a93:432:ffff:0:c830:b4bf:1e0:ffff\",\"LocalPort\":\"50373\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemotePort\":\"0\",\"aid\":\"ffffffff1f924e228a807ea4c0f21b0b\",\"aip\":\"208.222.208.124\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkListenIP6\",\"id\":\"ffffffff-1111-11eb-85f5-02ab029194b9\",\"name\":\"NetworkListenIP6V5\",\"timestamp\":\"1604855351798\"}", "created": "2020-11-08T17:09:11.798Z", "kind": "event", @@ -9506,11 +9610,12 @@ "lat": 41.6289 } }, - "serial_number": "ffffffff1f32487185fcde66a9dc0528", "address": "208.69.144.69", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "208.69.144.69" + "ip": "208.69.144.69", + "serial_number": "ffffffff1f32487185fcde66a9dc0528", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T14:34:30.744Z", "file": { @@ -9539,7 +9644,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461156700Z", + "ingested": "2021-11-22T09:23:55.466276400Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1457965279\",\"ContextProcessId\":\"321365562189152025\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604846070.744\",\"Entitlements\":\"15\",\"SHA256HashData\":\"e1bed7598ffdecf63a4d240f8309b528fc45068c6cb8137a5090f3afeb57f29d\",\"Size\":\"29646\",\"TargetFileName\":\"/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle/Contents/MacOS/HomeDirMechanism/..namedfork/rsrc\",\"VnodeModificationType\":\"10\",\"aid\":\"ffffffff1f32487185fcde66a9dc0528\",\"aip\":\"208.69.144.69\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"AsepFileChange\",\"id\":\"ffffffff-1111-11eb-b9b4-063e98f9b19b\",\"name\":\"AsepFileChangeMacV2\",\"timestamp\":\"1604855355495\"}", "created": "2020-11-08T17:09:15.495Z", "kind": "event", @@ -9588,11 +9693,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffa5bd4efaa195a7132c576edc", "address": "208.216.128.255", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.128.255" + "ip": "208.216.128.255", + "serial_number": "ffffffffa5bd4efaa195a7132c576edc", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:31.803Z", "ecs": { @@ -9613,7 +9719,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461165100Z", + "ingested": "2021-11-22T09:23:55.466283800Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3011122681\",\"ContextProcessId\":\"2932136\",\"ContextThreadId\":\"36157339485804\",\"ContextTimeStamp\":\"1604855191.803\",\"EffectiveTransmissionClass\":\"2\",\"Entitlements\":\"15\",\"LogonTime\":\"\",\"PasswordLastSet\":\"\",\"UserLogonFlags\":\"1\",\"UserName\":\"user7\",\"UserSid\":\"S-1-5-10\",\"aid\":\"ffffffffa5bd4efaa195a7132c576edc\",\"aip\":\"208.216.128.255\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"UserLogonFailed\",\"id\":\"ffffffff-1111-11eb-aa5a-0207e26418af\",\"name\":\"UserLogonFailedV1\",\"timestamp\":\"1604855193422\"}", "created": "2020-11-08T17:06:33.422Z", "kind": "event", @@ -9682,11 +9788,12 @@ "lat": 41.6325 } }, - "serial_number": "ffffffff6854438eb4181691ec47e43d", "address": "208.68.193.187", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.68.193.187" + "ip": "208.68.193.187", + "serial_number": "ffffffff6854438eb4181691ec47e43d", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:36.669Z", "ecs": { @@ -9708,7 +9815,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461173500Z", + "ingested": "2021-11-22T09:23:55.466290600Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1858880895\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"56042872298\",\"ContextTimeStamp\":\"1604855136.669\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"2a02:ffff:11:8000:d140:da90:aa7a:62a5\",\"LocalPort\":\"49689\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"2a00:ffff:11:809:0:0:0:200e\",\"RemotePort\":\"443\",\"aid\":\"ffffffff6854438eb4181691ec47e43d\",\"aip\":\"208.68.193.187\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"NetworkConnectIP6\",\"id\":\"ffffffff-1111-11eb-a889-061944805289\",\"name\":\"NetworkConnectIP6V5\",\"timestamp\":\"1604855199798\"}", "created": "2020-11-08T17:06:39.798Z", "kind": "event", @@ -9759,11 +9866,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffc07b49d6b7426e970523671a", "address": "208.213.180.70", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "208.213.180.70" + "ip": "208.213.180.70", + "serial_number": "ffffffffc07b49d6b7426e970523671a", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T16:42:35.987Z", "file": { @@ -9793,7 +9901,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461182Z", + "ingested": "2021-11-22T09:23:55.466297600Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ContextProcessId\":\"321382909294815631\",\"ContextThreadId\":\"0\",\"ContextTimeStamp\":\"1604853755.987\",\"Entitlements\":\"15\",\"SHA256HashData\":\"fa07e991e0c3f3661794bba39061433265162b10cd9036751941cc45e6a4b583\",\"Size\":\"165\",\"SourceFileName\":\"/Library/Application Support/JAMF/tmp/.dat.nosync2c98.VBwjsq\",\"TargetFileName\":\"/Library/Application Support/JAMF/tmp/6B24D2B6-BC17-4470-8078-91A787A19478\",\"aid\":\"ffffffffc07b49d6b7426e970523671a\",\"aip\":\"208.213.180.70\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NewExecutableRenamed\",\"id\":\"ffffffff-1111-11eb-8773-06939a2f0915\",\"name\":\"NewExecutableRenamedMacV1\",\"timestamp\":\"1604855213224\"}", "created": "2020-11-08T17:06:53.224Z", "kind": "event", @@ -9853,11 +9961,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffa60a47af4ebd2a76070f0d4f", "address": "208.131.50.212", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "208.131.50.212" + "ip": "208.131.50.212", + "serial_number": "ffffffffa60a47af4ebd2a76070f0d4f", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:07:48.323Z", "ecs": { @@ -9877,7 +9986,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461190300Z", + "ingested": "2021-11-22T09:23:55.466304400Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"203564169\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321367236803434269\",\"ContextTimeStamp\":\"1604855268.323\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP6\":\"0:0:0:0:0:0:0:0\",\"LocalPort\":\"51076\",\"Protocol\":\"6\",\"RemoteAddressIP6\":\"0:0:0:0:0:0:0:0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffa60a47af4ebd2a76070f0d4f\",\"aip\":\"208.131.50.212\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkListenIP6\",\"id\":\"ffffffff-1111-11eb-9a50-0669ff09604d\",\"name\":\"NetworkListenIP6MacV5\",\"timestamp\":\"1604855268755\"}", "created": "2020-11-08T17:07:48.755Z", "kind": "event", @@ -9926,11 +10035,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff6d724d38af99c628fb904626", "address": "208.216.134.211", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.134.211" + "ip": "208.216.134.211", + "serial_number": "ffffffff6d724d38af99c628fb904626", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:08:00.307Z", "ecs": { @@ -9948,7 +10058,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461198500Z", + "ingested": "2021-11-22T09:23:55.466311100Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3765958535\",\"ContextProcessId\":\"1611521722601\",\"ContextThreadId\":\"53405065993811\",\"ContextTimeStamp\":\"1604855280.307\",\"DomainName\":\"raw.githubusercontent.com\",\"DualRequest\":\"0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"InterfaceIndex\":\"0\",\"RequestType\":\"1\",\"aid\":\"ffffffff6d724d38af99c628fb904626\",\"aip\":\"208.216.134.211\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"SuspiciousDnsRequest\",\"id\":\"ffffffff-1111-11eb-885e-02ac336efd4b\",\"name\":\"SuspiciousDnsRequestV2\",\"timestamp\":\"1604855323217\"}", "created": "2020-11-08T17:08:43.217Z", "kind": "alert", @@ -10000,11 +10110,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff1990483499a736373600eef7", "address": "208.216.134.193", - "version": "100.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.134.193" + "ip": "208.216.134.193", + "serial_number": "ffffffff1990483499a736373600eef7", + "type": "agent", + "version": "100.3.0011603.1" }, "@timestamp": "2020-11-08T17:08:35.034Z", "file": { @@ -10022,7 +10133,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461206700Z", + "ingested": "2021-11-22T09:23:55.466317900Z", "original": "{\"ConfigBuild\":\"100.3.0011603.1\",\"ContextProcessId\":\"4492535979973\",\"ContextThreadId\":\"14023068415125\",\"ContextTimeStamp\":\"1604855315.034\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_8086\\u0026DEV_31E3\\u0026SUBSYS_080C1028\\u0026REV_03\\\\3\\u002611583659\\u00260\\u002690\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeDeviceCharacteristics\":\"131072\",\"VolumeDeviceObjectFlags\":\"134479872\",\"VolumeDeviceType\":\"8\",\"VolumeDriveLetter\":\"C:\",\"VolumeFileSystemDevice\":\"\\\\Ntfs\",\"VolumeFileSystemDriver\":\"\\\\FileSystem\\\\Ntfs\",\"VolumeFileSystemType\":\"2\",\"VolumeIsEncrypted\":\"0\",\"VolumeMountPoint\":\"\\\\??\\\\Volume{9b46da3f-ce44-432f-9230-c9201504bfd7}\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume4\",\"VolumeRealDeviceName\":\"\\\\Device\\\\HarddiskVolume4\",\"VolumeSectorSize\":\"512\",\"aid\":\"ffffffff1990483499a736373600eef7\",\"aip\":\"208.216.134.193\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeMounted\",\"id\":\"ffffffff-1111-11eb-9be9-024459b713c5\",\"name\":\"FsVolumeMountedV6\",\"timestamp\":\"1604855329102\"}", "created": "2020-11-08T17:08:49.102Z", "kind": "event", @@ -10093,11 +10204,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffe5ff467b4f0c4fd41a4462bb", "address": "208.71.20.13", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "208.71.20.13" + "ip": "208.71.20.13", + "serial_number": "ffffffffe5ff467b4f0c4fd41a4462bb", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:05:27.011Z", "ecs": { @@ -10119,7 +10231,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461214900Z", + "ingested": "2021-11-22T09:23:55.466324800Z", "original": "{\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1789338890\",\"ConnectionDirection\":\"0\",\"ConnectionFlags\":\"0\",\"ContextProcessId\":\"321210562584146513\",\"ContextTimeStamp\":\"1604855127.011\",\"Entitlements\":\"15\",\"InContext\":\"0\",\"LocalAddressIP4\":\"127.0.0.1\",\"LocalPort\":\"53\",\"Protocol\":\"6\",\"RemoteAddressIP4\":\"0.0.0.0\",\"RemotePort\":\"0\",\"aid\":\"ffffffffe5ff467b4f0c4fd41a4462bb\",\"aip\":\"208.71.20.13\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"NetworkListenIP4\",\"id\":\"ffffffff-1111-11eb-ae74-065212970c5d\",\"name\":\"NetworkListenIP4MacV5\",\"timestamp\":\"1604855128936\"}", "created": "2020-11-08T17:05:28.936Z", "kind": "event", @@ -10167,11 +10279,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff59514ea68b4693ddfb9b6643", "address": "208.216.134.213", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.134.213" + "ip": "208.216.134.213", + "serial_number": "ffffffff59514ea68b4693ddfb9b6643", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:06:25.108Z", "ecs": { @@ -10192,7 +10305,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461223500Z", + "ingested": "2021-11-22T09:23:55.466331600Z", "original": "{\"AuthenticationId\":\"999\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextTimeStamp\":\"1604855185.108\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume1\\\\Windows\\\\System32\\\\gpsvc.dll\",\"InterfaceGuid\":\"367ABB81-9844-35F1-AD32-98F038001003\",\"InterfaceVersion\":\"131072\",\"RpcClientProcessId\":\"219053851298\",\"RpcClientThreadId\":\"22047924482692\",\"RpcNestingLevel\":\"0\",\"RpcOpNum\":\"19\",\"ServiceDisplayName\":\"gpsvc\",\"TargetProcessId\":\"224116976578\",\"TargetThreadId\":\"22920092479704\",\"TokenType\":\"1\",\"UserName\":\"user7\",\"aid\":\"ffffffff59514ea68b4693ddfb9b6643\",\"aip\":\"208.216.134.213\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostedServiceStarted\",\"id\":\"ffffffff-1111-11eb-860c-0606af112d55\",\"name\":\"HostedServiceStartedV2\",\"timestamp\":\"1604855184068\"}", "created": "2020-11-08T17:06:24.068Z", "kind": "event", @@ -10250,11 +10363,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff2b5a4bf5afc6682595faa016", "address": "208.216.134.213", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.134.213" + "ip": "208.216.134.213", + "serial_number": "ffffffff2b5a4bf5afc6682595faa016", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:08:19.018Z", "ecs": { @@ -10272,7 +10386,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461231800Z", + "ingested": "2021-11-22T09:23:55.466338300Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextTimeStamp\":\"1604855299.018\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ServiceDisplayName\":\"wuauserv\",\"TargetProcessId\":\"661455186053\",\"TargetThreadId\":\"24238019995551\",\"aid\":\"ffffffff2b5a4bf5afc6682595faa016\",\"aip\":\"208.216.134.213\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostedServiceStopped\",\"id\":\"ffffffff-1111-11eb-9b11-0602a5689467\",\"name\":\"HostedServiceStoppedV1\",\"timestamp\":\"1604855302512\"}", "created": "2020-11-08T17:08:22.512Z", "kind": "event", @@ -10321,11 +10435,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff32cb4abc50bc133b31a69946", "address": "208.30.227.225", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.30.227.225" + "ip": "208.30.227.225", + "serial_number": "ffffffff32cb4abc50bc133b31a69946", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:07:07.625Z", "file": { @@ -10353,7 +10468,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461240100Z", + "ingested": "2021-11-22T09:23:55.466345100Z", "original": "{\"AuthenticationId\":\"3443175\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"3338885535\",\"ContextProcessId\":\"1091372257857\",\"ContextThreadId\":\"36855848099771\",\"ContextTimeStamp\":\"1604855227.625\",\"DiskParentDeviceInstanceId\":\"PCI\\\\VEN_1179\\u0026DEV_0113\\u0026SUBSYS_00011179\\u0026REV_01\\\\4\\u00263ad42678\\u00260\\u002600E0\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"f5ce07c6af67ec4ebe0846ff200bfc2f54f7020000002100\",\"FileObject\":\"18446603341701082336\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"0\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"288041\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Users\\\\user12\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\\\TempState\\\\Downloads\\\\ex.pdf.8e41hf8.partial\",\"TokenType\":\"1\",\"aid\":\"ffffffff32cb4abc50bc133b31a69946\",\"aip\":\"208.30.227.225\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"PdfFileWritten\",\"id\":\"ffffffff-1111-11eb-baea-02dccfbb7779\",\"name\":\"PdfFileWrittenV11\",\"timestamp\":\"1604855264313\"}", "created": "2020-11-08T17:07:44.313Z", "kind": "event", @@ -10425,11 +10540,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff655344736aca58d17fb570f0", "address": "208.239.110.158", - "version": "1007.3.0012309.1", "vendor": "crowdstrike", - "ip": "208.239.110.158" + "ip": "208.239.110.158", + "serial_number": "ffffffff655344736aca58d17fb570f0", + "type": "agent", + "version": "1007.3.0012309.1" }, "@timestamp": "2020-11-08T17:06:22.022Z", "ecs": { @@ -10449,7 +10565,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461248500Z", + "ingested": "2021-11-22T09:23:55.466352Z", "original": "{\"AuthenticationId\":\"3783389\",\"CommandLine\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\\\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca\",\"ConfigBuild\":\"1007.3.0012309.1\",\"ConfigStateHash\":\"3998263252\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"4096\",\"MD5HashData\":\"50d5fd1290d94d46acca0585311e74d5\",\"ParentAuthenticationId\":\"3783389\",\"ParentBaseFileName\":\"svchost.exe\",\"ParentProcessId\":\"2439558094566\",\"ProcessCreateFlags\":\"525332\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"16385\",\"ProcessStartTime\":\"1604855181.648\",\"ProcessSxsFlags\":\"1600\",\"RawProcessId\":\"22272\",\"RpcClientProcessId\":\"2439558094566\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37\",\"SessionId\":\"1\",\"SourceProcessId\":\"2439558094566\",\"SourceThreadId\":\"77538684027214\",\"Tags\":\"41, 12094627905582, 12094627906234\",\"TargetProcessId\":\"2450046082233\",\"TokenType\":\"2\",\"UserSid\":\"S-1-12-1-3697283754-1083485977-2164330645-2516515886\",\"WindowFlags\":\"128\",\"aid\":\"ffffffff655344736aca58d17fb570f0\",\"aip\":\"208.239.110.158\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-8462-02ade3b2f949\",\"name\":\"ProcessRollup2V18\",\"timestamp\":\"1604855182022\"}", "created": "2020-11-08T17:06:22.022Z", "kind": "event", @@ -10515,11 +10631,12 @@ "lat": 41.6289 } }, - "serial_number": "ffffffff1f32487185fcde66a9dc0528", "address": "208.69.144.69", - "version": "1007.4.0011104.1", "vendor": "crowdstrike", - "ip": "208.69.144.69" + "ip": "208.69.144.69", + "serial_number": "ffffffff1f32487185fcde66a9dc0528", + "type": "agent", + "version": "1007.4.0011104.1" }, "@timestamp": "2020-11-08T17:09:15.388Z", "ecs": { @@ -10540,7 +10657,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461306400Z", + "ingested": "2021-11-22T09:23:55.466358800Z", "original": "{\"AuthenticationId\":\"326190744\",\"AuthenticationUuid\":\"98467113-C771-4845-B71B-89B3CE9F93C9\",\"AuthenticationUuidAsString\":\"13714698-71C7-4548-B71B-89B3CE9F93C9\",\"ConfigBuild\":\"1007.4.0011104.1\",\"ConfigStateHash\":\"1457965279\",\"Entitlements\":\"15\",\"UID\":\"326190744\",\"UserPrincipal\":\"user8@dom6\",\"UserSid\":\"S-1-5-21-3629339319-2376021926-2724479216-652382488\",\"aid\":\"ffffffff1f32487185fcde66a9dc0528\",\"aip\":\"208.69.144.69\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"UserIdentity\",\"id\":\"ffffffff-1111-11eb-b9b4-063e98f9b19b\",\"name\":\"UserIdentityMacV2\",\"timestamp\":\"1604855355388\"}", "created": "2020-11-08T17:09:15.388Z", "kind": "event", @@ -10584,11 +10701,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffffcdb543135e7fcdf8e5a8fbdb", "address": "208.6.139.160", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.6.139.160" + "ip": "208.6.139.160", + "serial_number": "ffffffffcdb543135e7fcdf8e5a8fbdb", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T17:05:57.555Z", "os": { @@ -10609,7 +10727,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461317200Z", + "ingested": "2021-11-22T09:23:55.466365600Z", "original": "{\"BootArgs\":\" NOEXECUTE=OPTIN HYPERVISORLAUNCHTYPE=AUTO FVEBOOT=2125824 NOVGA\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"1874387338\",\"EffectiveTransmissionClass\":\"0\",\"Entitlements\":\"15\",\"MachineDomain\":\"\",\"aid\":\"ffffffffcdb543135e7fcdf8e5a8fbdb\",\"aip\":\"208.6.139.160\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"HostInfo\",\"id\":\"ffffffff-1111-11eb-9bbd-061290dcd983\",\"name\":\"HostInfoV2\",\"timestamp\":\"1604855157555\"}", "created": "2020-11-08T17:05:57.555Z", "kind": "event", @@ -10669,11 +10787,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff16bf4c7bb5ad755a4722025c", "address": "208.216.134.196", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.134.196" + "ip": "208.216.134.196", + "serial_number": "ffffffff16bf4c7bb5ad755a4722025c", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T15:57:10.593Z", "file": { @@ -10705,7 +10824,7 @@ }, "event": { "action": "GenericFileWritten", - "ingested": "2021-08-13T09:21:37.461326Z", + "ingested": "2021-11-22T09:23:55.466372400Z", "original": "{\"AuthenticationId\":\"703298\",\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"2642284486\",\"ContextProcessId\":\"1161025471861\",\"ContextThreadId\":\"34929528116709\",\"ContextTimeStamp\":\"1604851030.593\",\"DiskParentDeviceInstanceId\":\"USB\\\\VID_1058\\u0026PID_2621\\\\57583431453939315A4C5255\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"FileEcpBitmask\":\"0\",\"FileIdentifier\":\"262fbc677256cf4c8d6c6a227285a072c06830873b000000\",\"FileObject\":\"18446664963104449168\",\"IrpFlags\":\"1028\",\"IsOnNetwork\":\"0\",\"IsOnRemovableDisk\":\"1\",\"MajorFunction\":\"18\",\"MinorFunction\":\"0\",\"OperationFlags\":\"0\",\"Size\":\"517029\",\"TargetFileName\":\"\\\\Device\\\\HarddiskVolume5\\\\01.png.tmp$$\",\"TokenType\":\"1\",\"UserName\":\"user9\",\"aid\":\"ffffffff16bf4c7bb5ad755a4722025c\",\"aip\":\"208.216.134.196\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"GenericFileWritten\",\"id\":\"ffffffff-1111-11eb-800a-06cecfd73923\",\"name\":\"GenericFileWrittenV11\",\"timestamp\":\"1604851031298\"}", "id": "ffffffff-1111-11eb-800a-06cecfd73923", "created": "2020-11-08T15:57:11.298Z" @@ -10757,11 +10876,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff896b43725b83c79aa79959da", "address": "208.216.150.196", - "version": "1007.3.0011603.1", "vendor": "crowdstrike", - "ip": "208.216.150.196" + "ip": "208.216.150.196", + "serial_number": "ffffffff896b43725b83c79aa79959da", + "type": "agent", + "version": "1007.3.0011603.1" }, "@timestamp": "2020-11-08T15:54:59.164Z", "ecs": { @@ -10779,7 +10899,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461334500Z", + "ingested": "2021-11-22T09:23:55.466379200Z", "original": "{\"ConfigBuild\":\"1007.3.0011603.1\",\"ConfigStateHash\":\"666346415\",\"ContextProcessId\":\"1717987648455\",\"ContextThreadId\":\"55064470042288\",\"ContextTimeStamp\":\"1604850899.164\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"VolumeName\":\"\\\\Device\\\\HarddiskVolume27\",\"aid\":\"ffffffff896b43725b83c79aa79959da\",\"aip\":\"208.216.150.196\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"FsVolumeUnmounted\",\"id\":\"ffffffff-1111-11eb-9f70-0634389d9ea9\",\"name\":\"FsVolumeUnmountedV2\",\"timestamp\":\"1604850899812\"}", "created": "2020-11-08T15:54:59.812Z", "kind": "event", @@ -10825,11 +10945,12 @@ }, "country_iso_code": "US" }, - "serial_number": "ffffffff899541b94b9adff8922aa70a", "address": "208.193.200.164", - "version": "1007.4.0009906.1", "vendor": "crowdstrike", - "ip": "208.193.200.164" + "ip": "208.193.200.164", + "serial_number": "ffffffff899541b94b9adff8922aa70a", + "type": "agent", + "version": "1007.4.0009906.1" }, "@timestamp": "2020-11-08T15:58:18.548Z", "ecs": { @@ -10847,7 +10968,7 @@ ] }, "event": { - "ingested": "2021-08-13T09:21:37.461342800Z", + "ingested": "2021-11-22T09:23:55.466385900Z", "original": "{\"ConfigBuild\":\"1007.4.0009906.1\",\"ConfigStateHash\":\"3429017943\",\"ContextProcessId\":\"66426035996442255\",\"ContextTimeStamp\":\"1604851098.548\",\"Entitlements\":\"15\",\"aid\":\"ffffffff899541b94b9adff8922aa70a\",\"aip\":\"208.193.200.164\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Mac\",\"event_simpleName\":\"FirewallDisabled\",\"id\":\"ffffffff-1111-11eb-9d4c-02f402df8c1f\",\"name\":\"FirewallDisabledMacV1\",\"timestamp\":\"1604851040625\"}", "created": "2020-11-08T15:57:20.625Z", "kind": "event", @@ -10868,6 +10989,78 @@ "Entitlements": "15", "cid": "ffffffff30a3407dae27d0503611022d" } + }, + { + "observer": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "208.30.227.225", + "vendor": "crowdstrike", + "ip": "208.30.227.225", + "serial_number": "fffffffffffaaaaaaaaabbbbbbbb", + "type": "agent", + "version": "6.31.14404.0" + }, + "os": { + "type": "macos", + "version": "Big Sur (11.0)" + }, + "ecs": { + "version": "1.12.0" + }, + "related": { + "hosts": [ + "208.30.227.225", + "mac1" + ], + "ip": [ + "208.30.227.225" + ] + }, + "host": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "city_name": "San Francisco", + "timezone": "America/Los_Angeles" + }, + "name": "mac1", + "hostname": "mac1" + }, + "event": { + "ingested": "2021-11-22T09:23:55.466392700Z", + "original": "{\"AgentLoadFlags\":\"0\",\"AgentLocalTime\":\"1636436839.9529998\",\"AgentTimeOffset\":\"125.319\",\"AgentVersion\":\"6.31.14404.0\",\"BiosManufacturer\":\"Apple Inc.\",\"BiosVersion\":\"1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)\",\"ChassisType\":\"Laptop\",\"City\":\"San Francisco\",\"ComputerName\":\"mac1\",\"ConfigBuild\":\"1007.4.0014404.1\",\"ConfigIDBuild\":\"14404\",\"Continent\":\"North America\",\"Country\":\"United States\",\"FalconGroupingTags\":\"-\",\"FirstSeen\":\"1625682391.0\",\"HostHiddenStatus\":\"Visible\",\"MachineDomain\":\"none\",\"OU\":\"none\",\"PointerSize\":\"none\",\"ProductType\":\"1\",\"SensorGroupingTags\":\"-\",\"ServicePackMajor\":\"none\",\"SiteName\":\"none\",\"SystemManufacturer\":\"Apple Inc.\",\"SystemProductName\":\"MacBookPro16,2\",\"Time\":\"1636448427.3539999\",\"Timezone\":\"America/Los_Angeles\",\"Version\":\"Big Sur (11.0)\",\"aid\":\"fffffffffffaaaaaaaaabbbbbbbb\",\"aip\":\"208.30.227.225\",\"cid\":\"ffffffff30a3407dae27d0503611022ff\",\"event_platform\":\"Mac\"}" + }, + "crowdstrike": { + "SystemProductName": "MacBookPro16,2", + "ProductType": "1", + "Time": "2021-11-09T09:00:27.353Z", + "ConfigBuild": "1007.4.0014404.1", + "AgentTimeOffset": 125.319, + "FirstSeen": "2021-07-07T18:26:31.000Z", + "HostHiddenStatus": "Visible", + "AgentLocalTime": "2021-11-09T05:47:19.952Z", + "BiosManufacturer": "Apple Inc.", + "AgentLoadFlags": "0", + "BiosVersion": "1554.140.20.0.0 (iBridge: 18.16.14759.0.1,0)", + "ChassisType": "Laptop", + "ConfigIDBuild": "14404", + "SystemManufacturer": "Apple Inc.", + "cid": "ffffffff30a3407dae27d0503611022ff" + }, + "url": { + "scheme": "http" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs b/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs index 9ae5cc4c151..84a18ba57c1 100644 --- a/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs +++ b/packages/crowdstrike/data_stream/fdr/agent/stream/aws-s3.yml.hbs @@ -32,6 +32,9 @@ fips_enabled: {{fips_enabled}} {{#if proxy_url }} proxy_url: {{proxy_url}} {{/if}} +{{#if fdr_queue}} +sqs.notification_parse_script: {{fdr_parsing_script}} +{{/if}} {{#if tags.length}} tags: {{else}} diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index 508621c422f..b316860efaa 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -3,13 +3,16 @@ description: Pipeline for processing sample logs processors: ## Message decoding. - rename: + tag: message-to-original field: message target_field: event.original - json: + tag: json-decoding description: Decodes original JSON into `crowdstrike` field. field: event.original target_field: crowdstrike - date: + tag: date-timestamp description: Parse timestamp from event. field: crowdstrike.timestamp target_field: event.created @@ -17,6 +20,7 @@ processors: - UNIX_MS ignore_failure: true - date: + tag: date-event-created description: Parse timestamp from event. field: crowdstrike.CreationTimeStamp target_field: event.created @@ -25,15 +29,18 @@ processors: ignore_failure: true if: ctx?.event?.created == null - set: + tag: set-timestamp field: "@timestamp" copy_from: event.created if: ctx?.event?.created != null && (ctx?.crowdstrike?.ContextTimeStamp == null || ctx?.crowdstrike?.ContextTimeStamp == "") - date: + tag: date-context-timestamp field: crowdstrike.ContextTimeStamp formats: - UNIX ignore_failure: true - rename: + tag: rename-message field: crowdstrike.message target_field: message ignore_missing: true @@ -45,6 +52,7 @@ processors: ## Categorization. - script: + tag: script-categorize-events description: Categorize events. lang: painless source: |- @@ -306,7 +314,10 @@ processors: for (entry in ctx.crowdstrike.entrySet()) { def key = entry.getKey().toString(); if (key.contains("Count") || key.contains("Port")) { - ctx.crowdstrike[key] = Long.parseLong(entry.getValue().toString()); + try { + ctx.crowdstrike[key] = Long.parseLong(entry.getValue().toString()); + } catch (Exception e) { + } } } - script: @@ -369,6 +380,11 @@ processors: field: observer.address copy_from: observer.ip ignore_empty_value: true + - rename: + field: crowdstrike.AgentVersion + target_field: observer.version + ignore_missing: true + ignore_failure: true - rename: field: crowdstrike.ConfigBuild target_field: observer.version @@ -377,6 +393,9 @@ processors: - set: field: observer.vendor value: crowdstrike + - set: + field: observer.type + value: agent - append: field: related.ip value: "{{observer.ip}}" @@ -404,6 +423,31 @@ processors: value: "{{host.name}}" allow_duplicates: false if: ctx.host?.name != null + - rename: + field: crowdstrike.City + target_field: host.geo.city_name + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Continent + target_field: host.geo.continent_name + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Country + target_field: host.geo.country_name + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Timezone + target_field: host.geo.timezone + ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.MachineDomain + target_field: host.domain + ignore_missing: true + ignore_failure: true ## IP Geolocation Lookup - geoip: @@ -466,6 +510,12 @@ processors: field: crowdstrike.OSVersionString target_field: os.version ignore_missing: true + ignore_failure: true + - rename: + field: crowdstrike.Version + target_field: os.version + ignore_missing: true + ignore_failure: true ## Process fields. - rename: @@ -1037,6 +1087,16 @@ processors: if: ctx?.event?.action != null && (ctx.event.action.contains("File") || ctx.event.action.contains("Directory") || ctx.event.action.contains("Executable")) && ctx?._temp?.hashes != null && ctx?._temp?.hashes.size() > 0 ## Crowdstrike fields. + - split: + field: crowdstrike.FalconGroupingTags + separator: ",\\s?" + ignore_missing: true + ignore_failure: true + - split: + field: crowdstrike.SensorGroupingTags + separator: ",\\s?" + ignore_missing: true + ignore_failure: true - split: field: crowdstrike.Tags separator: ",\\s?" @@ -1102,6 +1162,23 @@ processors: formats: - UNIX if: ctx?.crowdstrike?.AgentLocalTime != null && ctx?.crowdstrike?.AgentLocalTime != "" + - date: + field: crowdstrike.FirstSeen + target_field: crowdstrike.FirstSeen + formats: + - UNIX + if: ctx?.crowdstrike?.FirstSeen != null && ctx?.crowdstrike?.FirstSeen != "" + - date: + field: crowdstrike.Time + target_field: crowdstrike.Time + formats: + - UNIX + if: ctx?.crowdstrike?.Time != null && ctx?.crowdstrike?.Time != "" + - convert: + field: crowdstrike.AgentTimeOffset + target_field: crowdstrike.AgentTimeOffset + type: float + ignore_missing: true - convert: field: crowdstrike.Timeout type: long @@ -1181,7 +1258,7 @@ processors: handleList(x); } } - map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + map.values().removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); } void handleList(List list) { for (def x : list) { @@ -1191,10 +1268,10 @@ processors: handleList(x); } } - list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + list.removeIf(v -> v == null || v == '' || v == '-' || v == 'none' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); } handleMap(ctx); on_failure: - set: field: error.message - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file + value: "Processor {{ _ingest.on_failure_processor_type }} with tag {{ _ingest.on_failure_processor_tag }} in pipeline {{ _ingest.on_failure_pipeline }} failed with message {{ _ingest.on_failure_message }}" \ No newline at end of file diff --git a/packages/crowdstrike/data_stream/fdr/fields/ecs.yml b/packages/crowdstrike/data_stream/fdr/fields/ecs.yml index 7dfa9ea96c6..3385f40f0fe 100644 --- a/packages/crowdstrike/data_stream/fdr/fields/ecs.yml +++ b/packages/crowdstrike/data_stream/fdr/fields/ecs.yml @@ -90,6 +90,8 @@ name: observer.vendor - external: ecs name: observer.version +- external: ecs + name: observer.type - external: ecs name: os.type - external: ecs diff --git a/packages/crowdstrike/data_stream/fdr/fields/fields.yml b/packages/crowdstrike/data_stream/fdr/fields/fields.yml index 78e67bb57c5..859c5e6f2bf 100644 --- a/packages/crowdstrike/data_stream/fdr/fields/fields.yml +++ b/packages/crowdstrike/data_stream/fdr/fields/fields.yml @@ -3,6 +3,8 @@ - name: crowdstrike type: group fields: + - name: AgentTimeOffset + type: float - name: AllocateVirtualMemoryCount type: long - name: ApiReturnValue @@ -31,6 +33,8 @@ type: keyword - name: CompletionEventId type: keyword + - name: ConfigBuild + type: keyword - name: ConHostId type: keyword - name: ConHostProcessId @@ -75,6 +79,8 @@ type: long - name: ExecutableDeletedCount type: long + - name: FalconGroupingTags + type: keyword - name: FileAttributes type: keyword - name: FileDeletedCount @@ -83,12 +89,16 @@ type: keyword - name: FileObject type: keyword + - name: FirstSeen + type: date - name: Flags type: keyword - name: GenericFileWrittenCount type: long - name: GrandParentBaseFileName type: keyword + - name: HostHiddenStatus + type: keyword - name: ImageSubsystem type: keyword - name: InContext @@ -165,12 +175,16 @@ type: keyword - name: Options type: keyword + - name: OU + type: keyword - name: ParentAuthenticationId type: keyword - name: PasswordLastSet type: keyword - name: PhysicalAddressLength type: long + - name: PointerSize + type: keyword - name: PrivilegedProcessHandleCount type: long - name: PrivilegesBitmask @@ -181,6 +195,8 @@ type: keyword - name: ProcessSxsFlags type: keyword + - name: ProductType + type: keyword - name: ProtectVirtualMemoryCount type: long - name: QueueApcCount @@ -215,10 +231,14 @@ type: long - name: ScriptEngineInvocationCount type: long + - name: SensorGroupingTags + type: keyword - name: ServiceDisplayName type: keyword - name: ServiceEventCount type: long + - name: ServicePackMajor + type: keyword - name: SessionId type: keyword - name: SessionProcessId @@ -229,6 +249,8 @@ type: keyword - name: Size type: long + - name: SiteName + type: keyword - name: SnapshotFileOpenCount type: long - name: SourceFileName @@ -255,6 +277,8 @@ type: keyword - name: TargetThreadId type: keyword + - name: Time + type: date - name: Timeout type: long - name: TokenType diff --git a/packages/crowdstrike/data_stream/fdr/manifest.yml b/packages/crowdstrike/data_stream/fdr/manifest.yml index e134d3716ca..1160e771e28 100644 --- a/packages/crowdstrike/data_stream/fdr/manifest.yml +++ b/packages/crowdstrike/data_stream/fdr/manifest.yml @@ -6,19 +6,6 @@ streams: title: Falcon Data Replicator logs description: Collect Falcon Data Replicator logs using s3 input vars: - - name: shared_credential_file - type: text - title: Shared Credential File - multi: false - required: false - show_user: false - description: Directory of the shared credentials file - - name: credential_profile_name - type: text - title: Credential Profile Name - multi: false - required: false - show_user: false - name: access_key_id type: text title: Access Key ID @@ -37,6 +24,43 @@ streams: multi: false required: false show_user: true + - name: queue_url + type: text + title: Queue URL + multi: false + required: true + show_user: true + description: URL of the AWS SQS queue that messages will be received from. + - name: is_fdr_queue + type: bool + title: Is FDR queue + multi: false + required: true + show_user: true + description: | + By default the FDR queue is expected. This option must be set to `false` if you are using your own queue. + default: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: shared_credential_file + type: text + title: Shared Credential File + multi: false + required: false + show_user: false + description: Directory of the shared credentials file + - name: credential_profile_name + type: text + title: Credential Profile Name + multi: false + required: false + show_user: false - name: role_arn type: text title: Role ARN @@ -65,13 +89,6 @@ streams: required: false show_user: false description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. - - name: queue_url - type: text - title: Queue URL - multi: false - required: true - show_user: true - description: URL of the AWS SQS queue that messages will be received from. - name: fips_enabled type: bool title: Enable S3 FIPS @@ -87,6 +104,30 @@ streams: required: false show_user: false description: URL to proxy connections in the form of http[s]://:@: + - name: fdr_parsing_script + type: text + title: FDR Notification Parsing Script + multi: false + required: true + show_user: false + description: The JS script used to parse the custom format of SQS FDR notifications. + default: | + function parse(n) { + var m = JSON.parse(n); + var evts = []; + var files = m.files; + var bucket = m.bucket; + if (!Array.isArray(files) || (files.length == 0) || bucket == null || bucket == "") { + return evts; + } + files.forEach(function(f){ + var evt = new S3EventV2(); + evt.SetS3BucketName(bucket); + evt.SetS3ObjectKey(f.path); + evts.push(evt); + }); + return evts; + } - name: tags type: text title: Tags @@ -104,14 +145,6 @@ streams: description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false - input: logfile title: Falcon Data Replicator logs description: Collect Falcon Data Replicator logs using a log file @@ -123,6 +156,14 @@ streams: default: - /var/log/falcon_data_replicator.log show_user: true + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false - name: tags type: text title: Tags @@ -140,11 +181,3 @@ streams: description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - - name: preserve_original_event - required: true - show_user: true - title: Preserve original event - description: Preserves a raw copy of the original event, added to the field `event.original` - type: bool - multi: false - default: false diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index a767933e555..dbbc9d5ffe0 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -329,8 +329,38 @@ An example event for `falcon` looks as following: ### FDR -The Falcon Data Replicator replicates log data from your CrowdStrike environment to a stand-alone target. This target can be a location on the file system, or an S3 bucket. +The CrowdStrike Falcon Data Replicator (FDR) allows CrowdStrike users to replicate FDR data from CrowdStrike +managed S3 buckets. CrowdStrike writes notification events to a CrowdStrike managed SQS queue when new data is +available in S3. +This integration can be used in two ways. It can consume SQS notifications directly from the CrowdStrike managed +SQS queue or it can be used in conjunction with the FDR tool that replicates the data to a self-managed S3 bucket +and the integration can read from there. + +In both cases SQS messages are deleted after they are processed. This allows you to operate more than one Elastic +Agent with this integration if needed and not have duplicate events, but it means you cannot ingest the data a second time. + +#### Use with CrowdStrike managed S3/SQS + +This is the simplest way to setup the integration, and also the default. + +You need to set the integration up with the SQS queue URL provided by Crowdstrike FDR. +Ensure the `Is FDR queue` option is enabled. + +#### Use with FDR tool and data replicated to a self-managed S3 bucket + +This option can be used if you want to archive the raw CrowdStrike data. + +You need to follow the steps below: + +- Create a S3 bucket to receive the logs. +- Create a SQS queue. +- Configure your S3 bucket to send object created notifications to your SQS queue. +- Follow the [FDR tool](https://github.com/CrowdStrike/FDR) instructions to replicate data to your own S3 bucket. +- Configure the integration to read from your self-managed SQS topic. +- Disable the `Is FDR queue` option in the integration. + +**NOTE: While the FDR tool can replicate the files from S3 to your local file system, this integration cannot read those files because they are gzip compressed, and the log file input does not support reading compressed files.** #### Configuration for the S3 input @@ -419,6 +449,7 @@ for more details. | @timestamp | Event timestamp. | date | | crowdstrike.AgentLoadFlags | | keyword | | crowdstrike.AgentLocalTime | | date | +| crowdstrike.AgentTimeOffset | | float | | crowdstrike.AgentVersion | | keyword | | crowdstrike.AllocateVirtualMemoryCount | | long | | crowdstrike.ApiReturnValue | | keyword | @@ -450,6 +481,7 @@ for more details. | crowdstrike.CompletionEventId | | keyword | | crowdstrike.ConHostId | | keyword | | crowdstrike.ConHostProcessId | | keyword | +| crowdstrike.ConfigBuild | | keyword | | crowdstrike.ConfigIDBase | | keyword | | crowdstrike.ConfigIDBuild | | keyword | | crowdstrike.ConfigIDPlatform | | keyword | @@ -491,6 +523,7 @@ for more details. | crowdstrike.FXFileSize | | keyword | | crowdstrike.Facility | | keyword | | crowdstrike.FailedConnectCount | | long | +| crowdstrike.FalconGroupingTags | | keyword | | crowdstrike.FeatureExtractionVersion | | keyword | | crowdstrike.FeatureVector | | keyword | | crowdstrike.File | | keyword | @@ -500,9 +533,11 @@ for more details. | crowdstrike.FileObject | | keyword | | crowdstrike.FirmwareAnalysisEclConsumerInterfaceVersion | | keyword | | crowdstrike.FirmwareAnalysisEclControlInterfaceVersion | | keyword | +| crowdstrike.FirstSeen | | date | | crowdstrike.Flags | | keyword | | crowdstrike.GenericFileWrittenCount | | long | | crowdstrike.GrandParentBaseFileName | | keyword | +| crowdstrike.HostHiddenStatus | | keyword | | crowdstrike.IOServiceClass | | keyword | | crowdstrike.IOServiceName | | keyword | | crowdstrike.IOServicePath | | keyword | @@ -569,6 +604,7 @@ for more details. | crowdstrike.NewFileIdentifier | | keyword | | crowdstrike.OSVersionFileData | | keyword | | crowdstrike.OSVersionFileName | | keyword | +| crowdstrike.OU | | keyword | | crowdstrike.OperationFlags | | keyword | | crowdstrike.Options | | keyword | | crowdstrike.OutErrors | | keyword | @@ -583,6 +619,7 @@ for more details. | crowdstrike.PciAttachmentState | | keyword | | crowdstrike.PhysicalAddressLength | | long | | crowdstrike.PhysicalCoreCount | | long | +| crowdstrike.PointerSize | | keyword | | crowdstrike.PreviousConnectTime | | date | | crowdstrike.PrivilegedProcessHandleCount | | long | | crowdstrike.PrivilegesBitmask | | keyword | @@ -591,6 +628,7 @@ for more details. | crowdstrike.ProcessParameterFlags | | keyword | | crowdstrike.ProcessSxsFlags | | keyword | | crowdstrike.ProcessorPackageCount | | long | +| crowdstrike.ProductType | | keyword | | crowdstrike.ProtectVirtualMemoryCount | | long | | crowdstrike.ProvisionState | | keyword | | crowdstrike.PupAdwareConfidence | | keyword | @@ -613,13 +651,16 @@ for more details. | crowdstrike.SVUID | | keyword | | crowdstrike.ScreenshotsTakenCount | | long | | crowdstrike.ScriptEngineInvocationCount | | long | +| crowdstrike.SensorGroupingTags | | keyword | | crowdstrike.SensorStateBitMap | | keyword | | crowdstrike.ServiceDisplayName | | keyword | | crowdstrike.ServiceEventCount | | long | +| crowdstrike.ServicePackMajor | | keyword | | crowdstrike.SessionId | | keyword | | crowdstrike.SessionProcessId | | keyword | | crowdstrike.SetThreadContextCount | | long | | crowdstrike.ShareAccess | | keyword | +| crowdstrike.SiteName | | keyword | | crowdstrike.Size | | long | | crowdstrike.SnapshotFileOpenCount | | long | | crowdstrike.SourceFileName | | keyword | @@ -642,6 +683,7 @@ for more details. | crowdstrike.Tags | | keyword | | crowdstrike.TargetFileName | | keyword | | crowdstrike.TargetThreadId | | keyword | +| crowdstrike.Time | | date | | crowdstrike.Timeout | | long | | crowdstrike.TokenType | | keyword | | crowdstrike.USN | | keyword | @@ -750,6 +792,7 @@ for more details. | observer.geo.region_name | Region name. | keyword | | observer.ip | IP addresses of the observer. | ip | | observer.serial_number | Observer serial number. | keyword | +| observer.type | The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. | keyword | | observer.vendor | Vendor name of the observer. | keyword | | observer.version | Observer version. | keyword | | os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index b78aee980c5..9348aa73ecf 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike Logs -version: 1.0.3 +version: 1.0.4 description: Collect and parse falcon logs from Crowdstrike products with Elastic Agent. type: integration format_version: 1.0.0